the first idea was to expose one of my action to public so that I can be used to register as url in a launch callback. but how to handle "authentication"? and how to prevent somebody else calling my action? I would need to do all the checks about permission within the action itself which seems far too complicated...
having more insights about Firefly and triggers/rules within AIO, I assume that the funcationality of those callbacks are based on the same technology as the Firefly rules. basically it creates sort of a "rule" and invoces an action to call my registered url.
It would be really cool if we could just add a new "rule" to my app manifest.yml listening for defined triggers. is that possible? or any other idea how to invoce one of my action directly to Launch build events (aka triggers)?
It is important that your webhook as a public action only accepts incoming callbacks and does not returns any data. The challenge is useful for filtering legitimate request from Launch and not another source.
There could be other ways of securing webhooks available which require custom implementation.