Input

847 chars

Output

0 chars

GitHub Webhooks Are the Backbone of CI/CD

Every push, PR, issue comment, and workflow run can fire a webhook. The payloads are deeply nested — a single pull_request event can be 50KB+ of JSON — and you'll spend a lot of time scanning them while debugging GitHub Actions, Probot apps, or Slack/Discord notifiers. This page is pre-loaded with a representative push event so you can see the canonical structure. Replace it with your own captured payload (from github.event in Actions logs, your webhook receiver's logs, or the GitHub UI's "Recent Deliveries" tab).

The Three Levels of Every GitHub Event

Most webhook payloads share a three-level shape:

  • Event-specific top-level fields — For push: ref, before, after, commits[], head_commit. For pull_request: action, number, pull_request object. For issues: action, issue. The action field on *.{opened,closed,edited,...} events is what you switch on in your handler.
  • repository — The repo where the event happened. Always present. full_name, owner.login, default_branch, private are the most-used fields.
  • sender — The user who triggered the event. login, id, type (User vs Bot vs Organization). For automated events, type=Bot.

Common GitHub Webhook Tasks

"Did this push happen on the default branch?" Compare ref (e.g., refs/heads/main) against repository.default_branch (e.g., main). The ref includes the refs/heads/ prefix; the default branch doesn't.

"Was this a force push?" Check the forced boolean on the push event. true means git history was rewritten — flag it loudly in your security tooling.

"Who actually opened this PR?" Use pull_request.user.login, not sender.login. The sender of a pull_request.opened event is the same person, but for pull_request.synchronize (new commits pushed), sender is the pusher while pull_request.user is the original PR author.

"What files changed in this push?" Walk commits[].added, commits[].removed, and commits[].modified arrays. For pushes with more than 20 commits, GitHub truncates the array — fall back to the Compare API (compare URL).

Verifying GitHub Signatures

GitHub signs every webhook with HMAC-SHA256 using your webhook secret. The signature lives in the X-Hub-Signature-256 header. Verify it before parsing the body in production. Use a constant-time comparison — string equality is vulnerable to timing attacks.

Related Tools

Common Use Cases

Related Articles