Fix: Allow compliance webhooks with legacy install flow

[dmerand]

WHY are these changes introduced?

Fixes #6003 regression - After PR #6003, users reported that the CLI incorrectly prevents deployment when using only compliance webhooks with use_legacy_install_flow = true.

The validation treats ALL webhook subscriptions as app-specific, including compliance topics which are mandatory for public apps and should be allowed with legacy install flow.

User report: https://community.shopify.dev/t/compliance-topics-issue/18702

WHAT is this pull request doing?

This PR fixes the webhook validation logic to properly distinguish between app-specific webhooks and compliance webhooks:

• Before: The validation counted ALL webhook subscriptions as app-specific
• After: The validation only counts subscriptions with the topics field as app-specific

The fix allows compliance-only webhook configurations to work with legacy install flow, which is necessary because:

1. Compliance webhooks are mandatory for all public apps (GDPR requirement)
2. They use the compliance_topics field, not the topics field
3. They don't require declarative scopes like regular app-specific webhooks do

How to test your changes?

1. Create an app with use_legacy_install_flow = true
2. Add only compliance webhooks:

   [webhooks]
   api_version = "2025-07"
   
   [[webhooks.subscriptions]]
   uri = "/webhooks"
   compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]

3. Run shopify app deploy - it should now succeed
4. Add a regular webhook with topics - deployment should fail as expected

Post-release steps

None required.

Measuring impact

How do we know this change was effective? Please choose one:

• n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
• Existing analytics will cater for this addition
• PR includes analytics changes to measure impact

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes

[dmerand]

• Fix: Allow compliance webhooks with legacy install flow #6108 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	78.35% (-0.05% 🔻)	13034/16636
🟡	Branches	72.59% (+0.02% 🔼)	6347/8744
🟡	Functions	78.23% (-0.05% 🔻)	3375/4314
🟡	Lines	78.76% (-0.05% 🔻)	12343/15671

Show new covered files 🐣

St.❔	File	Statements	Branches	Functions	Lines
🟢	... / shop_details.ts	100%	100%	100%	100%

Show files with reduced coverage 🔻

St.❔	File	Statements	Branches	Functions	Lines
🔴	... / index.ts	0% (-6.67% 🔻)	0%	0%	0% (-7.14% 🔻)
🔴	... / current_user_account.ts	0% (-100% 🔻)	100%	100%	0% (-100% 🔻)
🟢	... / copy.ts	97.06% (-0.08% 🔻)	94.29%	100%	97.06% (-0.08% 🔻)
🔴	... / mock-api-client.ts	3.7% (-0.64% 🔻)	0%	9.09% (-0.91% 🔻)	4% (-0.55% 🔻)
🟢	... / store-import.ts	97.78% (-0.09% 🔻)	85.71% (+5.71% 🔼)	100%	97.73% (-0.1% 🔻)

Test suite run success

3032 tests passing in 1317 suites.

Report generated by 🧪jest coverage report action from 7974965

[isaacroldan]

isn't this test exactly the same as the first one? or am i missing something?

[isaacroldan]

Do we need a patch release for this?

[clarkdave]

Hey folks - could this be extended to support other webhooks that don't require scopes?

Our shopify.app.toml has use_legacy_install_flow = true and declares a mix of compliance and shop webhooks, and has been working fine on previous versions of the Shopify CLI (e.g. 3.76.2).

Fixed by this PR:

• customers/data_request
• customers/redact
• shop/redact

Not fixed by this PR, but don't seem to require additional scopes:

• app/uninstalled
• customer_account_settings/update

I can open a new issue for this if it's easier.

---

Here's the relevant part of our configuration that was working in CLI version 3.76.2 but is no longer working in 3.82.1.

[access_scopes]
scopes = "read_content,write_content,read_customers,write_customers,read_orders,read_all_orders,read_products,write_products,read_price_rules,write_price_rules,read_discounts,write_discounts,write_gift_cards"
use_legacy_install_flow = true

[build]
include_config_on_deploy = true

[auth]
redirect_urls = [
  "https://app.example.com/auth/shopify/offline/callback",
  "https://app.example.com/auth/shopify/online/callback",
]

[webhooks]
api_version = "2025-01"

[[webhooks.subscriptions]]
uri = "https://example.com/shopify/webhooks/customers/data_request"
compliance_topics = ["customers/data_request"]

[[webhooks.subscriptions]]
uri = "https://example.com/shopify/webhooks/customers/redact"
compliance_topics = ["customers/redact"]

[[webhooks.subscriptions]]
uri = "https://example.com/shopify/webhooks/shop/redact"
compliance_topics = ["shop/redact"]

[[webhooks.subscriptions]]
topics = ["app/uninstalled"]
uri = "https://example.com/shopify/uninstall"

[[webhooks.subscriptions]]
uri = "https://example.com/shopify/webhooks/customer_account_settings/update"
topics = ["customer_account_settings/update"]