A simple Go utility to validate GitHub webhook deliveries against a provided secret.
This utility sets up a web server that listens for POST
requests on the /webhook
endpoint and validates the signature of the incoming GitHub webhook payload against a predefined secret.
Clone the repository:
git clone https://github.com/your-username/github-webhook-validator.git
cd github-webhook-validator
go build
Run:
export WEBHOOK_SECRET="It's a Secret to Everybody"
./github-webhook-validator
To test the GitHub webhook validator utility using curl
, you'll need to mimic a webhook request from GitHub. This means you'll need to create a POST
request with a X-Hub-Signature-256 header and a request body. The
X-Hub-Signature-256 header value should be the HMAC hex digest of the request body using your webhook secret.
Here's a simplified example of how you might construct such a curl command:
- First, you'll need to compute the
X-Hub-Signature-256
header value. You can use a command-line tool likeopenssl
to do this:
echo -n "your-payload-here" | openssl dgst -sha256 -hmac $WEBHOOK_SECRET
Replace "your-payload-here"
with the content of your webhook payload, and $WEBHOOK_SECRET
with your webhook secret. This will output a hash value.
- Now, you can use curl to send a POST request to your utility, including the
X-Hub-Signature-256
header value you computed in the previous step:
curl -X POST \
-H "Content-Type: application/json" \
-H "X-Hub-Signature-256: sha256=$WEBHOOK_SECRET \
--data '{"payload": "your-payload-here"}' \
http://localhost:8080/webhook