feat(netlify): add Netlify block with deploys, env vars, and deploy triggers

Adds the Netlify integration with nine tool operations (list sites, list/get/cancel/create deploys, and list/create/update/delete env vars) plus six webhook triggers (deploy created, building, succeeded, failed, locked, unlocked).

Tools authenticate via a Netlify Personal Access Token (Bearer). Triggers automatically register an outgoing webhook on the chosen site at deploy time and clean it up on undeploy. Inbound webhook signatures are verified as JWTs (HS256, iss=netlify, sha256 claim of the raw body) without adding a jsonwebtoken dependency.

Author: stylessh

apps/sim/blocks/blocks/netlify.ts

@@ -138,6 +138,7 @@ import { MongoDBBlock } from '@/blocks/blocks/mongodb'
 import { MothershipBlock } from '@/blocks/blocks/mothership'
 import { MySQLBlock } from '@/blocks/blocks/mysql'
 import { Neo4jBlock } from '@/blocks/blocks/neo4j'
+import { NetlifyBlock } from '@/blocks/blocks/netlify'
 import { NoteBlock } from '@/blocks/blocks/note'
 import { NotionBlock, NotionV2Block } from '@/blocks/blocks/notion'
 import { ObsidianBlock } from '@/blocks/blocks/obsidian'
@@ -388,6 +389,7 @@ export const registry: Record<string, BlockConfig> = {
   mothership: MothershipBlock,
   mysql: MySQLBlock,
   neo4j: Neo4jBlock,
+  netlify: NetlifyBlock,
   note: NoteBlock,
   notion: NotionBlock,
   notion_v2: NotionV2Block,

apps/sim/blocks/registry.ts

@@ -6727,6 +6727,30 @@ export function VercelIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function NetlifyIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      viewBox='0 0 256 226'
+      xmlns='http://www.w3.org/2000/svg'
+      preserveAspectRatio='xMidYMid'
+    >
+      <path
+        fill='#fff'
+        d='M69.181 188.087h-2.417l-12.065-12.065v-2.417l18.444-18.444h12.778l1.704 1.704v12.778zM54.699 51.628v-2.417l12.065-12.065h2.417L87.625 55.59v12.778l-1.704 1.704H73.143z'
+      />
+      <path
+        fill='#014847'
+        d='M160.906 149.198h-17.552l-1.466-1.466v-41.089c0-7.31-2.873-12.976-11.689-13.174-4.537-.119-9.727 0-15.274.218l-.833.852v53.173l-1.466 1.466H95.074l-1.466-1.466v-70.19l1.466-1.467h39.503c15.354 0 27.795 12.441 27.795 27.795v43.882l-1.466 1.466Z'
+      />
+      <path
+        fill='#fff'
+        d='M71.677 122.889H1.466L0 121.423V103.83l1.466-1.466h70.211l1.466 1.466v17.593zM254.534 122.889h-70.211l-1.466-1.466V103.83l1.466-1.466h70.211L256 103.83v17.593zM117.876 54.124V1.466L119.342 0h17.593l1.466 1.466v52.658l-1.466 1.466h-17.593zM117.876 223.787v-52.658l1.466-1.466h17.593l1.466 1.466v52.658l-1.466 1.465h-17.593z'
+      />
+    </svg>
+  )
+}
+
 export function CloudflareIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'>

apps/sim/components/icons.tsx

@@ -0,0 +1,282 @@
+import crypto from 'crypto'
+import { createLogger } from '@sim/logger'
+import { safeCompare } from '@sim/security/compare'
+import { NextResponse } from 'next/server'
+import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
+import type {
+  AuthContext,
+  DeleteSubscriptionContext,
+  EventMatchContext,
+  FormatInputContext,
+  FormatInputResult,
+  SubscriptionContext,
+  SubscriptionResult,
+  WebhookProviderHandler,
+} from '@/lib/webhooks/providers/types'
+
+const logger = createLogger('WebhookProvider:Netlify')
+
+/**
+ * Verifies a Netlify outgoing webhook JWT signature (HS256, iss=netlify).
+ * The token's `sha256` claim must equal the SHA-256 hex digest of the raw body.
+ */
+function verifyNetlifyJwt(token: string, secret: string, rawBody: string): boolean {
+  const parts = token.split('.')
+  if (parts.length !== 3) return false
+  const [headerB64, payloadB64, signatureB64] = parts
+
+  const expectedSignature = crypto
+    .createHmac('sha256', secret)
+    .update(`${headerB64}.${payloadB64}`)
+    .digest('base64url')
+
+  if (!safeCompare(expectedSignature, signatureB64)) {
+    return false
+  }
+
+  let payload: Record<string, unknown>
+  try {
+    payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8')) as Record<
+      string,
+      unknown
+    >
+  } catch {
+    return false
+  }
+
+  if (payload.iss !== 'netlify') return false
+
+  const bodyHash = crypto.createHash('sha256').update(rawBody, 'utf8').digest('hex')
+  if (typeof payload.sha256 !== 'string') return false
+  return safeCompare(payload.sha256, bodyHash)
+}
+
+export const netlifyHandler: WebhookProviderHandler = {
+  verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext): NextResponse | null {
+    const secret = (providerConfig.webhookSecret as string | undefined)?.trim()
+    if (!secret) {
+      logger.warn(`[${requestId}] Netlify webhook secret missing; rejecting delivery`)
+      return new NextResponse(
+        'Unauthorized - Netlify webhook signing secret is not configured. Re-save the trigger so a webhook can be registered.',
+        { status: 401 }
+      )
+    }
+
+    const signature = request.headers.get('x-webhook-signature')
+    if (!signature) {
+      logger.warn(`[${requestId}] Netlify webhook missing X-Webhook-Signature header`)
+      return new NextResponse('Unauthorized - Missing Netlify signature', { status: 401 })
+    }
+
+    if (!verifyNetlifyJwt(signature, secret, rawBody)) {
+      logger.warn(`[${requestId}] Netlify signature verification failed`)
+      return new NextResponse('Unauthorized - Invalid Netlify signature', { status: 401 })
+    }
+
+    return null
+  },
+
+  async matchEvent({ webhook, workflow, body, requestId, providerConfig }: EventMatchContext) {
+    const triggerId = providerConfig.triggerId as string | undefined
+    if (!triggerId) return true
+
+    const { isNetlifyEventMatch } = await import('@/triggers/netlify/utils')
+    const obj = body as Record<string, unknown>
+    const state = typeof obj.state === 'string' ? obj.state : undefined
+
+    if (!isNetlifyEventMatch(triggerId, state)) {
+      logger.debug(`[${requestId}] Netlify event mismatch for trigger ${triggerId}. Skipping.`, {
+        webhookId: webhook.id,
+        workflowId: workflow.id,
+        triggerId,
+        state,
+      })
+      return false
+    }
+
+    return true
+  },
+
+  extractIdempotencyId(body: unknown) {
+    const id = (body as Record<string, unknown>)?.id
+    if (id === undefined || id === null || id === '') {
+      return null
+    }
+    return `netlify:${String(id)}`
+  },
+
+  async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
+    const { webhook, requestId } = ctx
+    try {
+      const providerConfig = getProviderConfig(webhook)
+      const apiKey = providerConfig.apiKey as string | undefined
+      const triggerId = providerConfig.triggerId as string | undefined
+      const siteId = (providerConfig.siteId as string | undefined)?.trim()
+
+      if (!apiKey) {
+        throw new Error(
+          'Netlify Personal Access Token is required. Provide your access token in the trigger configuration.'
+        )
+      }
+      if (!siteId) {
+        throw new Error('Netlify Site ID is required to register a deploy webhook.')
+      }
+      if (!triggerId) {
+        throw new Error('Missing trigger ID — re-save the Netlify trigger.')
+      }
+
+      const { NETLIFY_TRIGGER_EVENT_TYPES } = await import('@/triggers/netlify/utils')
+      const event = NETLIFY_TRIGGER_EVENT_TYPES[triggerId]
+      if (!event) {
+        throw new Error(
+          `Unknown Netlify trigger "${triggerId}". Remove and re-add the Netlify trigger, then save again.`
+        )
+      }
+
+      const notificationUrl = getNotificationUrl(webhook)
+      const signingSecret = crypto.randomBytes(32).toString('base64url')
+
+      logger.info(`[${requestId}] Creating Netlify webhook`, {
+        triggerId,
+        event,
+        siteId,
+        webhookId: webhook.id,
+      })
+
+      const apiUrl = `https://api.netlify.com/api/v1/hooks?site_id=${encodeURIComponent(siteId)}`
+      const requestBody = {
+        type: 'url',
+        event,
+        data: {
+          url: notificationUrl,
+          signature_secret: signingSecret,
+        },
+      }
+
+      const netlifyResponse = await fetch(apiUrl, {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(requestBody),
+      })
+
+      const responseBody = (await netlifyResponse.json().catch(() => ({}))) as Record<
+        string,
+        unknown
+      >
+
+      if (!netlifyResponse.ok) {
+        const errorMessage =
+          (responseBody.message as string) ||
+          (responseBody.error as string) ||
+          'Unknown Netlify API error'
+
+        let userFriendlyMessage = 'Failed to create webhook subscription in Netlify'
+        if (netlifyResponse.status === 401 || netlifyResponse.status === 403) {
+          userFriendlyMessage =
+            'Invalid or insufficient Netlify Personal Access Token. Verify the token has access to this site.'
+        } else if (netlifyResponse.status === 404) {
+          userFriendlyMessage = `Netlify site "${siteId}" not found or not accessible with this token.`
+        } else if (errorMessage && errorMessage !== 'Unknown Netlify API error') {
+          userFriendlyMessage = `Netlify error: ${errorMessage}`
+        }
+
+        throw new Error(userFriendlyMessage)
+      }
+
+      const externalId = (responseBody.id as string | undefined) ?? undefined
+      if (!externalId) {
+        throw new Error('Netlify webhook creation succeeded but no hook ID was returned')
+      }
+
+      logger.info(`[${requestId}] Successfully created Netlify hook ${externalId}`, {
+        webhookId: webhook.id,
+        event,
+      })
+
+      return {
+        providerConfigUpdates: {
+          externalId,
+          webhookSecret: signingSecret,
+        },
+      }
+    } catch (error: unknown) {
+      const err = error as Error
+      logger.error(`[${requestId}] Exception during Netlify webhook creation`, {
+        message: err.message,
+        webhookId: webhook.id,
+      })
+      throw error
+    }
+  },
+
+  async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
+    const { webhook, requestId } = ctx
+    try {
+      const config = getProviderConfig(webhook)
+      const apiKey = config.apiKey as string | undefined
+      const externalId = config.externalId as string | undefined
+
+      if (!apiKey || !externalId) {
+        logger.warn(
+          `[${requestId}] Missing apiKey or externalId for Netlify webhook deletion ${webhook.id}, skipping cleanup`
+        )
+        if (ctx.strict) throw new Error('Missing Netlify webhook deletion credentials')
+        return
+      }
+
+      const apiUrl = `https://api.netlify.com/api/v1/hooks/${encodeURIComponent(externalId)}`
+
+      const response = await fetch(apiUrl, {
+        method: 'DELETE',
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+        },
+      })
+
+      if (!response.ok && response.status !== 404) {
+        logger.warn(
+          `[${requestId}] Failed to delete Netlify webhook (non-fatal): ${response.status}`
+        )
+        if (ctx.strict) throw new Error(`Failed to delete Netlify webhook: ${response.status}`)
+      } else {
+        await response.body?.cancel()
+        logger.info(`[${requestId}] Successfully deleted Netlify hook ${externalId}`)
+      }
+    } catch (error) {
+      logger.warn(`[${requestId}] Error deleting Netlify webhook (non-fatal)`, error)
+      if (ctx.strict) throw error
+    }
+  },
+
+  async formatInput(ctx: FormatInputContext): Promise<FormatInputResult> {
+    const body = ctx.body as Record<string, unknown>
+
+    const str = (v: unknown): string => (v == null ? '' : String(v))
+
+    return {
+      input: {
+        id: str(body.id),
+        siteId: str(body.site_id),
+        state: str(body.state),
+        name: str(body.name),
+        url: str(body.url),
+        deployUrl: str(body.deploy_url),
+        deploySslUrl: str(body.deploy_ssl_url),
+        adminUrl: str(body.admin_url),
+        branch: str(body.branch),
+        context: str(body.context),
+        commitRef: str(body.commit_ref),
+        commitUrl: str(body.commit_url),
+        title: str(body.title),
+        errorMessage: str(body.error_message),
+        createdAt: str(body.created_at),
+        updatedAt: str(body.updated_at),
+        publishedAt: str(body.published_at),
+        payload: body,
+      },
+    }
+  },
+}

apps/sim/lib/webhooks/providers/netlify.ts

@@ -26,6 +26,7 @@ import { lemlistHandler } from '@/lib/webhooks/providers/lemlist'
 import { linearHandler } from '@/lib/webhooks/providers/linear'
 import { microsoftTeamsHandler } from '@/lib/webhooks/providers/microsoft-teams'
 import { mondayHandler } from '@/lib/webhooks/providers/monday'
+import { netlifyHandler } from '@/lib/webhooks/providers/netlify'
 import { notionHandler } from '@/lib/webhooks/providers/notion'
 import { outlookHandler } from '@/lib/webhooks/providers/outlook'
 import { resendHandler } from '@/lib/webhooks/providers/resend'
@@ -88,6 +89,7 @@ const PROVIDER_HANDLERS: Record<string, WebhookProviderHandler> = {
   twilio: twilioHandler,
   twilio_voice: twilioVoiceHandler,
   typeform: typeformHandler,
+  netlify: netlifyHandler,
   vercel: vercelHandler,
   webflow: webflowHandler,
   whatsapp: whatsappHandler,