Ugly Green Logo

4n6ir.com

GitHub Organization

28 March 2022

Validating GitHub Webhooks with Python

by John Lukach

I added a GitHub Webhook that invalidates the CloudFront Distribution using a Tag increment with the published Release that I needed to secure.

https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

List of Python libraries necessary for the code example to work.

import hashlib
import hmac
import re

Parse the SHA256 verification hash from the Lambda Function that received the GitHub Webhook event from the API post request.

webhook = re.sub(r'^sha256=', '', event['headers']['X-Hub-Signature-256'])

Calculate the Hash-Based Message Authentication Code (HMAC) using the GitHub Webhook Secret and Event Body in a UTF-8 format to generate a SHA256 hash.

digest = hmac.new(
    key = bytes(secret, 'utf-8'),
    msg = event['body'].encode('utf-8'),
    digestmod = hashlib.sha256
)

Two matching values indicate a successful GitHub Webhook authentication.

if webhook != digest.hexdigest():
    print('Denied Access')
else:
    print('Access Granted')
tags: GitHub - Python - Webhooks