feat(compose): allow manual webhook calls when autoDeploy is off

[ews-pgasser]

What is this PR about?

Today, the compose webhook endpoint at /api/deploy/compose/[refreshToken] rejects every request when autoDeploy is disabled, including manual calls from CI pipelines. This makes it impossible to use Dokploy in a common deployment pattern: connect a Git repo for the compose content, but trigger the actual deploy from CI once the deployable artifact (e.g. a Docker image) has been built and pushed.

This PR detects whether a request originates from a Git provider's webhook by checking for provider-specific headers (x-github-event, x-gitlab-event, x-gitea-event, x-event-key for Bitbucket). The autoDeploy check now only rejects Git-provider webhook calls — manual calls (e.g. curl from CI) fall through and deploy. Behaviour is unchanged for all existing Git-provider webhook callers.

The change is minimal: one new helper function and one modified if condition. No schema, UI, or API changes.

Behaviour matrix

Call type	autoDeploy on	autoDeploy off
GitHub / GitLab / Gitea / Bitbucket webhook	deploys (unchanged)	rejected 400 (unchanged)
Manual curl from CI	deploys (unchanged)	deploys (new)

Checklist

Before submitting this PR, please make sure that:

• You created a dedicated branch based on the canary branch.
• You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
• You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.

Issues related (if applicable)

N/A

Screenshots (if applicable)

N/A — server-side behaviour change only, no UI.

Greptile Summary

This PR adds an isGitProviderWebhook helper that checks for provider-specific headers and exempts non-git-provider HTTP calls from the autoDeploy guard on the compose webhook endpoint. The idea is sound, but the bypass stops short: for composes whose sourceType is a git provider (github, gitlab, gitea, bitbucket, or git), a headerless manual curl call will pass the new guard and then immediately fail at the downstream branch-match check with 301 \"Branch Not Match\", since extractBranchName returns null when no git event headers are present.

• P1: Manual deploys via curl still fail for every git-backed compose (sourceType ∈ {github, gitlab, gitea, bitbucket, git}) — the primary use-case cited in the PR description — because extractBranchName returns null without git provider headers, triggering the !branchName guard.

Confidence Score: 4/5

Not safe to merge as-is — the primary stated use case (git-backed compose + manual CI trigger) remains broken due to the downstream branch-match check.

The autoDeploy guard change itself is correct, but the handler's subsequent per-sourceType branch/path validation blocks every manual call for git-sourced composes. The fix requires either also skipping the branch/path checks for non-git-provider requests, or documenting that the feature only works for non-git sourceTypes.

apps/dokploy/pages/api/deploy/compose/[refreshToken].ts — specifically the per-sourceType branch and watchPath checks that follow the autoDeploy guard (lines 61–181).

Comments Outside Diff (1)

1. apps/dokploy/pages/api/deploy/compose/[refreshToken].ts, line 54-59 (link)

   Manual deploys fail for git-backed composes

   When autoDeploy is off, a manual curl call correctly passes the new fromGitProvider guard (line 54), but then hits the sourceType branch-matching block. Because there are no git provider headers, extractBranchName returns null for every git sourceType (github, gitlab, gitea, bitbucket, git), causing every manual call to be rejected with 301 "Branch Not Match" before the deployment job is ever queued.

   The scenario described in the PR description — a compose backed by a GitHub/GitLab/etc. repo with autoDeploy disabled — is precisely the case that still silently fails after this change. The bypass only takes effect for composes whose sourceType is not one of the five git providers listed above.

_{Reviews (1): Last reviewed commit: "feat(compose): allow manual webhook call..." | Re-trigger Greptile}