GitHub Webhooks

When to Use This Skill

• Setting up GitHub webhook handlers
• Debugging signature verification failures
• Understanding GitHub event types and payloads
• Handling push, pull request, or issue events

Verification (core)

GitHub signs the raw body with HMAC-SHA256 keyed on your webhook secret and sends the digest in X-Hub-Signature-256 formatted as sha256=<hex>. Use X-Hub-Signature-256 (not the legacy SHA-1 X-Hub-Signature), pass the raw body, and compare timing-safe.

Node:

const crypto = require('crypto');