@octokit/webhooks

GitHub webhook events toolset for Node.js

• Usage
• Local development
• API
  • Constructor
  • webhooks.sign()
  • webhooks.verify()
  • webhooks.verifyAndReceive()
  • webhooks.receive()
  • webhooks.on()
  • webhooks.removeListener()
  • webhooks.middleware()
  • Webhook events
  • Special events
    • * wildcard event
    • error event
• TypeScript
  • WebhookEvent
  • EventNames
  • EventPayloads
• License

@octokit/webhooks helps to handle webhook events received from GitHub.

GitHub webhooks can be registered in multiple ways

1. In repository or organization settings on github.com.
2. Using the REST API for repositories or organizations
3. By creating a GitHub App.

Note that while setting a secret is optional on GitHub, it is required to be set in order to use @octokit/webhooks. Content Type must be set to application/json, application/x-www-form-urlencoded is not supported.

Usage

// install with: npm install @octokit/webhooks
const { Webhooks } = require("@octokit/webhooks");
const webhooks = new Webhooks({
  secret: "mysecret",
});

webhooks.on("*", ({ id, name, payload }) => {
  console.log(name, "event received");
});

require("http").createServer(webhooks.middleware).listen(3000);
// can now receive webhook events at port 3000

Local development

You can receive webhooks on your local machine or even browser using EventSource and smee.io.

Go to smee.io and Start a new channel. Then copy the "Webhook Proxy URL" and

1. enter it in the GitHub App’s "Webhook URL" input
2. pass it to the EventSource constructor, see below

const webhookProxyUrl = "https://smee.io/IrqK0nopGAOc847"; // replace with your own Webhook Proxy URL
const source = new EventSource(webhookProxyUrl);
source.onmessage = (event) => {
  const webhookEvent = JSON.parse(event.data);
  webhooks
    .verifyAndReceive({
      id: webhookEvent["x-request-id"],
      name: webhookEvent["x-github-event"],
      signature: webhookEvent["x-hub-signature"],
      payload: webhookEvent.body,
    })
    .catch(console.error);
};

EventSource is a native browser API and can be polyfilled for browsers that don’t support it. In node, you can use the eventsource package: install with npm install eventsource, then const EventSource = require('eventsource')

API

1. Constructor
2. webhooks.sign()
3. webhooks.verify()
4. webhooks.verifyAndReceive()
5. webhooks.receive()
6. webhooks.on()
7. webhooks.removeListener()
8. webhooks.middleware()
9. Webhook events
10. Special events
    1. * wildcard event
    2. error event

Constructor

new Webhooks({secret[, path, transform]})

secret (String)	Required. Secret as configured in GitHub Settings.
path (String)	Only relevant for webhooks.middleware. Custom path to match requests against. Defaults to /.
transform (Function)	Only relevant for webhooks.on. Transform emitted event before calling handlers. Can be asynchronous.

Returns the webhooks API.

webhooks.sign()

webhooks.sign(eventPayload);

eventPayload (Object)

Required. Webhook request payload as received from GitHub

Returns a signature string. Throws error if eventPayload is not passed.

Can also be used standalone.

webhooks.verify()

webhooks.verify(eventPayload, signature);

eventPayload (Object)	Required. Webhook event request payload as received from GitHub.
signature (String)	Required. Signature string as calculated by webhooks.sign().

Returns true or false. Throws error if eventPayload or signature not passed.

Can also be used standalone.

webhooks.verifyAndReceive()

webhooks.verifyAndReceive({ id, name, payload, signature });

id String	Unique webhook event request id
name String	Required. Name of the event. (Event names are set as X-GitHub-Event header in the webhook event request.)
payload Object	Required. Webhook event request payload as received from GitHub.
signature (String)	Required. Signature string as calculated by webhooks.sign().

Returns a promise.

Verifies event using webhooks.verify(), then handles the event using webhooks.receive().

Additionally, if verification fails, rejects the returned promise and emits an error event.

Example

const { Webhooks } = require("@octokit/webhooks");
const webhooks = new Webhooks({
  secret: "mysecret",
});
eventHandler.on("error", handleSignatureVerificationError);

// put this inside your webhooks route handler
eventHandler
  .verifyAndReceive({
    id: request.headers["x-github-delivery"],
    name: request.headers["x-github-event"],
    payload: request.body,
    signature: request.headers["x-hub-signature"],
  })
  .catch(handleErrorsFromHooks);

webhooks.receive()

webhooks.receive({ id, name, payload });

id String	Unique webhook event request id
name String	Required. Name of the event. (Event names are set as X-GitHub-Event header in the webhook event request.)
payload Object	Required. Webhook event request payload as received from GitHub.

Returns a promise. Runs all handlers set with webhooks.on() in parallel and waits for them to finish. If one of the handlers rejects or throws an error, then webhooks.receive() rejects. The returned error has an .errors property which holds an array of all errors caught from the handlers. If no errors occur, webhooks.receive() resolves without passing any value.

The .receive() method belongs to the event-handler module which can be used standalone.

webhooks.on()

webhooks.on(eventName, handler);
webhooks.on(eventNames, handler);

eventName String	Required. Name of the event. One of GitHub's supported event names.
eventNames Array	Required. Array of event names.
handler Function	Required. Method to be run each time the event with the passed name is received. the handler function can be an async function, throw an error or return a Promise. The handler is called with an event object: {id, name, payload}.

The .on() method belongs to the event-handler module which can be used standalone.

webhooks.removeListener()

webhooks.removeListener(eventName, handler);
webhooks.removeListener(eventNames, handler);

eventName String	Required. Name of the event. One of GitHub’s supported event names.
eventNames Array	Required. Array of event names.
handler Function	Required. Method which was previously passed to webhooks.on(). If the same handler was registered multiple times for the same event, only the most recent handler gets removed.

The .removeListener() method belongs to the event-handler module which can be used standalone.

webhooks.middleware()

webhooks.middleware(request, response[, next])

request Object	Required. A Node.js http.ClientRequest.
response Object	Required. A Node.js http.ServerResponse.
next Function	Optional function which invokes the next middleware, as used by Connect and Express.

Returns a requestListener (or middleware) method which can be directly passed to http.createServer(), Express and other compatible Node.js server frameworks.

Can also be used standalone.

Webhook events

See the full list of event types with example payloads.

If there are actions for a webhook, events are emitted for both, the webhook name as well as a combination of the webhook name and the action, e.g. installation and installation.created.

Event	Actions
check_run	completed created requested_action rerequested
check_suite	completed requested rerequested
code_scanning_alert	appeared_in_branch closed_by_user created fixed reopened reopened_by_user
commit_comment	created
content_reference	created
create
delete
deploy_key	created deleted
deployment	created
deployment_status	created
fork
github_app_authorization	revoked
gollum
installation	created deleted new_permissions_accepted suspend unsuspend
installation_repositories	added removed
issue_comment	created deleted edited
issues	assigned closed deleted demilestoned edited labeled locked milestoned opened pinned reopened transferred unassigned unlabeled unlocked unpinned
label	created deleted edited
marketplace_purchase	cancelled changed pending_change pending_change_cancelled purchased
member	added edited removed
membership	added removed
meta	deleted
milestone	closed created deleted edited opened
organization	deleted member_added member_invited member_removed renamed
org_block	blocked unblocked
package	published updated
page_build
ping
project_card	converted created deleted edited moved
project_column	created deleted edited moved
project	closed created deleted edited reopened
public
pull_request	assigned closed edited labeled locked merged opened ready_for_review reopened review_request_removed review_requested synchronize unassigned unlabeled unlocked
pull_request_review	dismissed edited submitted
pull_request_review_comment	created deleted edited
push
release	created deleted edited prereleased published released unpublished
repository_dispatch	on-demand-test
repository	archived created deleted edited privatized publicized renamed transferred unarchived
repository_import
repository_vulnerability_alert	create dismiss resolve
security_advisory	performed published updated
sponsorship	cancelled created edited pending_cancellation pending_tier_change tier_changed
star	created deleted
status
team	added_to_repository created deleted edited removed_from_repository
team_add
watch	started
workflow_dispatch
workflow_run	action

Special events

Besides the webhook events, there are special events emitted by @octokit/webhooks.

* wildcard event

The * event is emitted for all webhook events listed above.

webhooks.on("*", (event) => {
  console.log(`"${event.name}" event received"`);
});

error event

If a webhook event handler throws an error or returns a promise that rejects, an error event is triggered. You can subscribe to this event for logging or reporting events. The passed error object has a .event property which has all information on the event:

• id: The unique webhook event request id
• name: The name of the event
• payload: The event request payload

webhooks.on("error", (error) => {
  console.log(`Error occured in "${error.event.name} handler: ${error.stack}"`);
});

Asynchronous error event handler are not blocking the .receive() method from completing.

TypeScript

@octokit/webhooks exports 3 types that can be used independent from the code.

Note that changes to the exported types are not considered breaking changes, as the changes will not impact production code, but only fail locally or during CI at build time.

WebhookEvent

The WebhookEvent type is an object with the properties id, name, and payload. name must be one of the known event names. The type for payload be set using an optional type parameter, e.g. WebhookEvent<MyPayloadType>

EventNames

The EventNames type is a module containing types for all known event names and event/action combinations. For example, EventNames.CheckRunEvent is a string enum for "check_run" | "check_run.completed" | "check_run.created" | "check_run.requested_action" | "check_run.rerequested".

EventNames.All is an enum of all event/action combinations. EventNames.StringNames is an enum for the known event names only.

EventPayloads

The EventPayloads type exports payload types for all known evens. For example EventPayloads.WebhookPayloadCheckRun exports the payload type for the check_run event.

License

MIT