@octokit/webhooks

GitHub webhook events toolset for Node.js

GitHub webhooks can be registered in multiple ways

In repository or organization settings on github.com.
Using the REST API for repositories or organizations
By installing a GitHub App.

@octokit/webhooks helps to handle webhook events received from GitHub.

Note that while setting a secret is optional on GitHub, it is required to be set in order to use @octokit/webhooks. Content Type must be set to application/json, application/x-www-form-urlencoded is not supported.

Example

// install with: npm install @octokit/webhooks
const WebhooksApi = require('@octokit/webhooks')
const webhooks = new WebhooksApi({
  secret: 'mysecret'
})

webhooks.on('*', ({id, name, payload}) => {
  console.log(name, 'event received')
})

require('http').createServer(webhooks.middleware).listen(3000)
// can now receive webhook events at port 3000

Local development

You can receive webhooks on your local machine or even browser using EventSource and smee.io.

Go to smee.io and Start a new channel. Then copy the "Webhook Proxy URL" and

enter it in the GitHub App’s "Webhook URL" input
pass it to the EventSource constructor, see below

const webhookProxyUrl = 'https://smee.io/IrqK0nopGAOc847' // replace with your own Webhook Proxy URL
const source = new EventSource(webhookProxyUrl)
source.onmessage = (event) => {
  const webhookEvent = JSON.parse(event.data)
  webhooks.verifyAndReceive({
    id: webhookEvent['x-request-id'],
    name: webhookEvent['x-github-event'],
    signature: webhookEvent['x-hub-signature'],
    payload: webhookEvent.body
  }).catch(console.error)
}

EventSource is a native browser API and can be polyfilled for browsers that don’t support it. In node, you can use the eventsource package: install with npm install eventsource, then const EventSource = require('eventsource')

API

Constructor
webhooks.sign()
webhooks.verify()
webhooks.verifyAndReceive()
webhooks.receive()
webhooks.on()
webhooks.removeListener()
webhooks.middleware()
Webhook events
Special events
1. * wildcard event
2. error event

Constructor

new WebhooksApi({secret[, path]})

`secret` (String)	Required. Secret as configured in GitHub Settings.
`transform` (Function)	Only relevant for `webhooks.on`. Transform emitted event before calling handlers. Can be asynchronous.
`path` (String)	Only relevant for `webhooks.middleware`. Custom path to match requests against. Defaults to `/`.

Returns the webhooks API.

webhooks.sign()

webhooks.sign(eventPayload)

eventPayload (Object) Required. Webhook request payload as received from GitHub

Returns a signature string. Throws error if eventPayload is not passed.

Can also be used standalone.

webhooks.verify()

webhooks.verify(eventPayload, signature)

`eventPayload` (Object)	Required. Webhook event request payload as received from GitHub.
`signature` (String)	Required. Signature string as calculated by `webhooks.sign()`.

Returns true or false. Throws error if eventPayload or signature not passed.

Can also be used standalone.

webhooks.verifyAndReceive()

webhooks.verifyAndReceive({id, name, payload, signature})

`id` String	Unique webhook event request id
`name` String	Required. Name of the event. (Event names are set as `X-GitHub-Event` header in the webhook event request.)
`payload` Object	Required. Webhook event request payload as received from GitHub.
`signature` (String)	Required. Signature string as calculated by `webhooks.sign()`.

Returns a promise.

Verifies event using webhooks.verify(), then handles the event using webhooks.receive().

Additionally, if verification fails, rejects return promise and emits an error event.

Example

const WebhooksApi = require('@octokit/webhooks')
const webhooks = new WebhooksApi({
  secret: 'mysecret'
})
eventHandler.on('error', handleSignatureVerificationError)

// put this inside your webhooks route handler
eventHandler.verifyAndReceive({
  id: request.headers['x-github-delivery'],
  name: request.headers['x-github-event'],
  payload: request.body,
  signature: request.headers['x-hub-signature']
}).catch(handleErrorsFromHooks)

webhooks.receive()

webhooks.receive({id, name, payload})

`id` String	Unique webhook event request id
`name` String	Required. Name of the event. (Event names are set as `X-GitHub-Event` header in the webhook event request.)
`payload` Object	Required. Webhook event request payload as received from GitHub.

Returns a promise. Runs all handlers set with webhooks.on() in parallel and waits for them to finish. If one of the handlers rejects or throws an error, then webhooks.receive() rejects. The returned error has an .errors property which holds an array of all errors caught from the handlers. If no errors occur, webhooks.receive() resolves without passing any value.

The .receive() method belongs to the receiver module which can be used standalone.

webhooks.on()

webhooks.on(eventName, handler)
webhooks.on(eventNames, handler)

`eventName` String	Required. Name of the event. One of GitHub's supported event names.
`eventNames` Array	Required. Array of event names.
`handler` Function	Required. Method to be run each time the event with the passed name is received. the `handler` function can be an async function, throw an error or return a Promise. The handler is called with an event object: `{id, name, payload}`.

The .on() method belongs to the receiver module which can be used standalone.

webhooks.removeListener()

webhooks.removeListener(eventName, handler)
webhooks.removeListener(eventNames, handler)

`eventName` String	Required. Name of the event. One of GitHub’s supported event names.
`eventNames` Array	Required. Array of event names.
`handler` Function	Required. Method which was previously passed to `webhooks.on()`. If the same handler was registered multiple times for the same event, only the most recent handler gets removed.

The .removeListener() method belongs to the receiver module which can be used standalone.

webhooks.middleware()

webhooks.middleware(request, response[, next])

`request` Object	Required. A Node.js http.ClientRequest.
`response` Object	Required. A Node.js http.ServerResponse.
`next` Function	Optional function which invokes the next middleware, as used by Connect and Express.

Returns a requestListener (or middleware) method which can be directly passed to http.createServer(), Express and other compatible Node.js server frameworks.

Can also be used standalone.

Webhook events

See the full list of event types with example payloads.

If there are actions for a webhook, events are emitted for both, the webhook name as well as a combination of the webhook name and the action, e.g. installation and installation.created.

Event	Actions
`check_run`	`completed` `created` `requested_action` `rerequested`
`check_suite`	`completed` `requested` `rerequested`
`commit_comment`	`created`
`content_reference`
`create`
`delete`
`deploy_key`	`created` `deleted`
`deployment`
`deployment_status`
`fork`
`github_app_authorization`
`gollum`
`installation`	`created` `deleted` `new_permissions_accepted`
`installation_repositories`	`added` `removed`
`issue_comment`	`created` `deleted` `edited`
`issues`	`assigned` `closed` `deleted` `demilestoned` `edited` `labeled` `locked` `milestoned` `opened` `pinned` `reopened` `transferred` `unassigned` `unlabeled` `unlocked` `unpinned`
`label`	`created` `deleted` `edited`
`marketplace_purchase`	`cancelled` `changed` `pending_change` `pending_change_cancelled` `purchased`
`member`	`added` `deleted` `edited`
`membership`	`added` `removed`
`meta`	`deleted`
`milestone`	`closed` `created` `deleted` `edited` `opened`
`organization`	`deleted` `member_added` `member_invited` `member_removed` `renamed`
`org_block`	`blocked` `unblocked`
`page_build`
`project_card`	`converted` `created` `deleted` `edited` `moved`
`project_column`	`created` `deleted` `edited` `moved`
`project`	`closed` `created` `deleted` `edited` `reopened`
`public`
`pull_request`	`assigned` `closed` `edited` `labeled` `locked` `opened` `ready_for_review` `reopened` `review_request_removed` `review_requested` `unassigned` `unlabeled` `unlocked` `synchronize`
`pull_request_review`	`dismissed` `edited` `submitted`
`pull_request_review_comment`	`created` `deleted` `edited`
`push`
`registry_package`	`published` `updated`
`release`	`created` `deleted` `edited` `prereleased` `published` `unpublished`
`repository`	`archived` `created` `deleted` `edited` `privatized` `publicized` `renamed` `transferred` `unarchived`
`repository_import`
`repository_vulnerability_alert`	`create` `dismiss` `resolve`
`security_advisory`	`performed` `published` `updated`
`star`	`created` `deleted`
`status`
`team`	`added_to_repository` `created` `deleted` `edited` `removed_from_repository`
`team_add`
`watch`	`started`
`ping`

Special events

Besides the webhook events, there are special events emitted by @octokit/webhooks.

`*` wildcard event

The * event is emitted for all webhook events listed above.

webhooks.on('*', (event) => {
  console.log(`"${event.name}" event received"`)
})

`error` event

If a webhook event handler throws an error or returns a promise that rejects, an error event is triggered. You can subscribe to this event for logging or reporting events. The passed error object has a .event property which has all information on the event:

id: The unique webhook event request id
name: The name of the event
payload: The event request payload

webhooks.on('error', (error) => {
  console.log(`Error occured in "${error.event.name} handler: ${error.stack}"`)
})

Asynchronous error event handler are not blocking the .receive() method from completing.

License

MIT

pauldenotter/webhooks.js

@octokit/webhooks

Example

Local development

API

Constructor

webhooks.sign()

webhooks.verify()

webhooks.verifyAndReceive()

webhooks.receive()

webhooks.on()

webhooks.removeListener()

webhooks.middleware()

Webhook events

Special events

* wildcard event

error event

License

`*` wildcard event

`error` event