octokit/webhooks.jsPublic

NotificationsYou must be signed in to change notification settings
Fork82
Star334

GitHub webhook events toolset for Node.js

License

MIT license

334 stars 82 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,014 Commits
.github		.github
scripts		scripts
src		src
test		test
.gitignore		.gitignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
LICENSE.md		LICENSE.md
README.md		README.md
SECURITY.md		SECURITY.md
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json
vite.config.js		vite.config.js

Repository files navigation

@octokit/webhooks

GitHub webhook events toolset for Node.js

@octokit/webhooks helps to handle webhook events received from GitHub.

GitHub webhooks can be registered in multiple ways

In repository or organization settings ongithub.com.
Using the REST API forrepositories ororganizations
Bycreating a GitHub App.

Note that while setting a secret is optional on GitHub, it is required to be set in order to use@octokit/webhooks. Content Type must be set toapplication/json,application/x-www-form-urlencoded is not supported.

Usage

// install with: npm install@octokit/webhooksimport{Webhooks,createNodeMiddleware}from"@octokit/webhooks";import{createServer}from"node:http";constwebhooks=newWebhooks({secret:"mysecret",});webhooks.onAny(({ id, name, payload})=>{console.log(name,"event received");});createServer(createNodeMiddleware(webhooks)).listen(3000);// can now receive webhook events at /api/github/webhooks

Local development

You can receive webhooks on your local machine or even browser usingEventSource andsmee.io.

Go tosmee.io andStart a new channel. Then copy the "Webhook Proxy URL" and

enter it in the GitHub App’s "Webhook URL" input
pass it to theEventSource constructor, see below

constwebhookProxyUrl="https://smee.io/IrqK0nopGAOc847";// replace with your own Webhook Proxy URLconstsource=newEventSource(webhookProxyUrl);source.onmessage=(event)=>{constwebhookEvent=JSON.parse(event.data);webhooks.verifyAndReceive({id:webhookEvent["x-request-id"],name:webhookEvent["x-github-event"],signature:webhookEvent["x-hub-signature"],payload:JSON.stringify(webhookEvent.body),}).catch(console.error);};

EventSource is a native browser API and can be polyfilled for browsers that don’t support it. In node, you can use theeventsource package: install withnpm install eventsource, thenimport EventSource from "eventsource";)

API

Constructor

newWebhooks({ secret/*, transform */});

`secret`(String)	Required. Secret as configured in GitHub Settings.
`transform`(Function)	Only relevant for`webhooks.on`. Transform emitted event before calling handlers. Can be asynchronous.
`log` object	Used for internal logging. Defaults to`console` with`debug` and`info` doing nothing.

Returns thewebhooks API.

webhooks.sign()

webhooks.sign(eventPayload);

eventPayload (String) Required. Webhook request payload as received from GitHub

Returns asignature string. Throws error ifeventPayload is not passed.

Thesign method can be imported as static method from@octokit/webhooks-methods.

webhooks.verify()

webhooks.verify(eventPayload,signature);

`eventPayload` (String)	Required. Webhook event request payload as received from GitHub.
`signature` (String)	Required. Signature string as calculated by`webhooks.sign()`.

Returnstrue orfalse. Throws error ifeventPayload orsignature not passed.

Theverify method can be imported as static method from@octokit/webhooks-methods.

webhooks.verifyAndReceive()

webhooks.verifyAndReceive({ id, name, payload, signature});

`id` String	Unique webhook event request id
`name` String	Required. Name of the event. (Event names are set as`X-GitHub-Event` header in the webhook event request.)
`payload` String	Required. Webhook event request payload as received from GitHub.
`signature` (String)	Required. Signature string as calculated by`webhooks.sign()`.

Returns a promise.

Verifies event usingwebhooks.verify(), then handles the event usingwebhooks.receive().

Additionally, if verification fails, rejects the returned promise and emits anerror event.

Example

import{Webhooks}from"@octokit/webhooks";constwebhooks=newWebhooks({secret:"mysecret",});eventHandler.on("error",handleSignatureVerificationError);// put this inside your webhooks route handlereventHandler.verifyAndReceive({id:request.headers["x-github-delivery"],name:request.headers["x-github-event"],payload:request.body,signature:request.headers["x-hub-signature-256"],}).catch(handleErrorsFromHooks);

webhooks.receive()

webhooks.receive({ id, name, payload});

`id` String	Unique webhook event request id
`name` String	Required. Name of the event. (Event names are set as`X-GitHub-Event` header in the webhook event request.)
`payload` Object	Required. Webhook event request payload as received from GitHub.

Returns a promise. Runs all handlers set withwebhooks.on() in parallel and waits for them to finish. If one of the handlers rejects or throws an error, thenwebhooks.receive() rejects. The returned error has an.errors property which holds an array of all errors caught from the handlers. If no errors occur,webhooks.receive() resolves without passing any value.

The.receive() method belongs to theevent-handler module which can be usedstandalone.

webhooks.on()

webhooks.on(eventName,handler);webhooks.on(eventNames,handler);

`eventName` String	Required. Name of the event. One ofGitHub's supported event names, or (if the event has an action property) the name of an event followed by its action in the form of`<event>.<action>`.
`eventNames` Array	Required. Array of event names.
`handler` Function	Required. Method to be run each time the event with the passed name is received. the`handler` function can be an async function, throw an error or return a Promise. The handler is called with an event object:`{id, name, payload}`.

The.on() method belongs to theevent-handler module which can be usedstandalone.

webhooks.onAny()

webhooks.onAny(handler);

handler Function Required. Method to be run each time any event is received. thehandler function can be an async function, throw an error or return a Promise. The handler is called with an event object:{id, name, payload}.

The.onAny() method belongs to theevent-handler module which can be usedstandalone.

webhooks.onError()

webhooks.onError(handler);

If a webhook event handler throws an error or returns a promise that rejects, an error event is triggered. You can use this handler for logging or reporting events. The passed error object has a .event property which has all information on the event.

Asynchronouserror event handler are not blocking the.receive() method from completing.

handler Function Required. Method to be run each time a webhook event handler throws an error or returns a promise that rejects. Thehandler function can be an async function, return a Promise. The handler is called with an error object that has a .event property which has all the information on the event:{id, name, payload}.

The.onError() method belongs to theevent-handler module which can be usedstandalone.

webhooks.removeListener()

webhooks.removeListener(eventName,handler);webhooks.removeListener(eventNames,handler);

`eventName` String	Required. Name of the event. One ofGitHub's supported event names, or (if the event has an action property) the name of an event followed by its action in the form of`<event>.<action>`, or '*' for the`onAny()` method or 'error' for the`onError()` method.
`eventNames` Array	Required. Array of event names.
`handler` Function	Required. Method which was previously passed to`webhooks.on()`. If the same handler was registered multiple times for the same event, only the most recent handler gets removed.

The.removeListener() method belongs to theevent-handler module which can be usedstandalone.

createNodeMiddleware()

import{createServer}from"node:http";import{Webhooks,createNodeMiddleware}from"@octokit/webhooks";constwebhooks=newWebhooks({secret:"mysecret",});constmiddleware=createNodeMiddleware(webhooks,{path:"/webhooks"});createServer(async(req,res)=>{// `middleware` returns `false` when `req` is unhandled (beyond `/webhooks`)if(awaitmiddleware(req,res))return;res.writeHead(404);res.end();}).listen(3000);// can now receive user authorization callbacks at POST /webhooks

The middleware returned fromcreateNodeMiddleware can also serve as anExpress.js middleware directly.

`webhooks` Webhooks instance	Required.
`path` string	Custom path to match requests against. Defaults to`/api/github/webhooks`.
`log` object	Used for internal logging. Defaults to`console` with`debug` and`info` doing nothing.

createWebMiddleware()

import{Webhooks,createWebMiddleware}from"@octokit/webhooks";constwebhooks=newWebhooks({secret:"mysecret",});constmiddleware=createWebMiddleware(webhooks,{path:"/webhooks"});// Example usage in DenoDeno.serve({port:3000},middleware);

The middleware returned fromcreateWebMiddleware can also be used in serverless environments like AWS Lambda, Cloudflare Workers, and Vercel.

`webhooks` Webhooks instance	Required.
`path` string	Custom path to match requests against. Defaults to`/api/github/webhooks`.
`log` object	Used for internal logging. Defaults to`console` with`debug` and`info` doing nothing.

Webhook events

See the full list ofevent types with example payloads.

If there are actions for a webhook, events are emitted for both, the webhook name as well as a combination of the webhook name and the action, e.g.installation andinstallation.created.

Event	Actions
`branch_protection_configuration`	`disabled` `enabled`
`branch_protection_rule`	`created` `deleted` `edited`
`check_run`	`completed` `created` `requested_action` `rerequested`
`check_suite`	`completed` `requested` `rerequested`
`code_scanning_alert`	`appeared_in_branch` `closed_by_user` `created` `fixed` `reopened` `reopened_by_user`
`commit_comment`	`created`
`create`
`custom_property`	`created` `deleted` `promote_to_enterprise` `updated`
`custom_property_values`	`updated`
`delete`
`dependabot_alert`	`auto_dismissed` `auto_reopened` `created` `dismissed` `fixed` `reintroduced` `reopened`
`deploy_key`	`created` `deleted`
`deployment`	`created`
`deployment_protection_rule`	`requested`
`deployment_review`	`approved` `rejected` `requested`
`deployment_status`	`created`
`discussion`	`answered` `category_changed` `closed` `created` `deleted` `edited` `labeled` `locked` `pinned` `reopened` `transferred` `unanswered` `unlabeled` `unlocked` `unpinned`
`discussion_comment`	`created` `deleted` `edited`
`fork`
`github_app_authorization`	`revoked`
`gollum`
`installation`	`created` `deleted` `new_permissions_accepted` `suspend` `unsuspend`
`installation_repositories`	`added` `removed`
`installation_target`	`renamed`
`issue_comment`	`created` `deleted` `edited`
`issues`	`assigned` `closed` `deleted` `demilestoned` `edited` `labeled` `locked` `milestoned` `opened` `pinned` `reopened` `transferred` `typed` `unassigned` `unlabeled` `unlocked` `unpinned` `untyped`
`label`	`created` `deleted` `edited`
`marketplace_purchase`	`cancelled` `changed` `pending_change` `pending_change_cancelled` `purchased`
`member`	`added` `edited` `removed`
`membership`	`added` `removed`
`merge_group`	`checks_requested` `destroyed`
`meta`	`deleted`
`milestone`	`closed` `created` `deleted` `edited` `opened`
`org_block`	`blocked` `unblocked`
`organization`	`deleted` `member_added` `member_invited` `member_removed` `renamed`
`package`	`published` `updated`
`page_build`
`personal_access_token_request`	`approved` `cancelled` `created` `denied`
`ping`
`project`	`closed` `created` `deleted` `edited` `reopened`
`project_card`	`converted` `created` `deleted` `edited` `moved`
`project_column`	`created` `deleted` `edited` `moved`
`projects_v2`	`closed` `created` `deleted` `edited` `reopened`
`projects_v2_item`	`archived` `converted` `created` `deleted` `edited` `reordered` `restored`
`projects_v2_status_update`	`created` `deleted` `edited`
`public`
`pull_request`	`assigned` `auto_merge_disabled` `auto_merge_enabled` `closed` `converted_to_draft` `demilestoned` `dequeued` `edited` `enqueued` `labeled` `locked` `milestoned` `opened` `ready_for_review` `reopened` `review_request_removed` `review_requested` `synchronize` `unassigned` `unlabeled` `unlocked`
`pull_request_review`	`dismissed` `edited` `submitted`
`pull_request_review_comment`	`created` `deleted` `edited`
`pull_request_review_thread`	`resolved` `unresolved`
`push`
`registry_package`	`published` `updated`
`release`	`created` `deleted` `edited` `prereleased` `published` `released` `unpublished`
`repository`	`archived` `created` `deleted` `edited` `privatized` `publicized` `renamed` `transferred` `unarchived`
`repository_advisory`	`published` `reported`
`repository_dispatch`	`sample`
`repository_import`
`repository_ruleset`	`created` `deleted` `edited`
`repository_vulnerability_alert`	`create` `dismiss` `reopen` `resolve`
`secret_scanning_alert`	`created` `publicly_leaked` `reopened` `resolved` `validated`
`secret_scanning_alert_location`	`created`
`secret_scanning_scan`	`completed`
`security_advisory`	`published` `updated` `withdrawn`
`security_and_analysis`
`sponsorship`	`cancelled` `created` `edited` `pending_cancellation` `pending_tier_change` `tier_changed`
`star`	`created` `deleted`
`status`
`sub_issues`	`parent_issue_added` `parent_issue_removed` `sub_issue_added` `sub_issue_removed`
`team`	`added_to_repository` `created` `deleted` `edited` `removed_from_repository`
`team_add`
`watch`	`started`
`workflow_dispatch`
`workflow_job`	`completed` `in_progress` `queued` `waiting`
`workflow_run`	`completed` `in_progress` `requested`

emitterEventNames

A read only tuple containing all the possible combinations of the webhook events + actions listed above. This might be useful in GUI and input validation.

import{emitterEventNames}from"@octokit/webhooks";emitterEventNames;// ["check_run", "check_run.completed", ...]

validateEventName

The functionvalidateEventName asserts that the provided event name is a valid event name or event/action combination.It throws an error if the event name is not valid, or '*' or 'error' is passed.

The second parameter is an optional options object that can be used to customize the behavior of the validation. You can setaonUnknownEventName property to"warn" to log a warning instead of throwing an error, and alog property to provide a custom logger object, which should have a"warn" method. You can also setonUnknownEventName to"ignore" to disable logging or throwing an error for unknown event names.

import{validateEventName}from"@octokit/webhooks";validateEventName("push");// no errorvalidateEventName("invalid_event");// throws an errorvalidateEventName("*");// throws an errorvalidateEventName("error");// throws an errorvalidateEventName("invalid_event",{onUnknownEventName:"warn"});// logs a warningvalidateEventName("invalid_event",{onUnknownEventName:false,log:{warn:console.info,// instead of warning we just log it via console.info},});validateEventName("*",{onUnkownEventName:"ignore"});// throws an errorvalidateEventName("invalid_event",{onUnkownEventName:"ignore"});// no error, no warning

TypeScript

The types for the webhook payloads are sourced from@octokit/openapi-webhooks-types,which can be used by themselves.

In addition to these types,@octokit/webhooks exports 2 types specific to itself:

Note that changes to the exported types are not considered breaking changes, as the changes will not impact production code, but only fail locally or during CI at build time.

Important

As we useconditional exports, you will need to adapt yourtsconfig.json by setting"moduleResolution": "node16", "module": "node16".

See the TypeScript docs onpackage.json "exports".
See thishelpful guide on transitioning to ESM from@sindresorhus

⚠️ Caution⚠️: Webhooks Types are expected to be used with thestrictNullChecks option enabled in yourtsconfig. If you don't have this option enabled, there's the possibility that you getnever as the inferred type in some use cases. Seeoctokit/webhooks#395 for details.

`EmitterWebhookEventName`

A union of all possible events and event/action combinations supported by the event emitter, e.g."check_run" | "check_run.completed" | ... many more ... | "workflow_run.requested".

`EmitterWebhookEvent`

The object that is emitted by@octokit/webhooks as an event; made up of anid,name, andpayload properties.An optional generic parameter can be passed to narrow the type of thename andpayload properties based on event names or event/action combinations, e.g.EmitterWebhookEvent<"check_run" | "code_scanning_alert.fixed">.