Skip to content

Test-GitHubWebhookSignature

SYNOPSIS

Verifies a GitHub webhook signature using a shared secret.

SYNTAX

ByBody (Default)

Test-GitHubWebhookSignature -Secret <String> -Body <String> -Signature <String>
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

ByRequest

Test-GitHubWebhookSignature -Secret <String> -Request <PSObject> [-ProgressAction <ActionPreference>]
 [<CommonParameters>]

DESCRIPTION

This function validates the integrity and authenticity of a GitHub webhook request by comparing the received HMAC signature against a computed hash of the payload using a shared secret. It uses the SHA-256 algorithm and employs a constant-time comparison to mitigate timing attacks. The function returns a boolean indicating whether the signature is valid.

EXAMPLES

EXAMPLE 1

Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Body $Request.RawBody -Signature $Request.Headers['X-Hub-Signature-256']

Output:

True

Validates the provided webhook payload against the HMAC SHA-256 signature using the given secret.

EXAMPLE 2

Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Request $Request

Output:

True

Validates the webhook request using the entire request object, automatically extracting the body and signature.

PARAMETERS

-Secret

The secret key used to compute the HMAC hash. Example: 'mysecret'

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Body

The JSON body of the GitHub webhook request. This must be the compressed JSON payload received from GitHub. Example: '{"action":"opened"}'

Type: String
Parameter Sets: ByBody
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Signature

The signature received from GitHub to compare against. Example: 'sha256=abc123...'

Type: String
Parameter Sets: ByBody
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Request

The entire request object containing RawBody and Headers. Used in Azure Function Apps or similar environments.

Type: PSObject
Parameter Sets: ByRequest
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

bool

NOTES

Validating Webhook Deliveries | GitHub Docs Webhook events and payloads | GitHub Docs

https://psmodule.io/GitHub/Functions/Webhooks/Test-GitHubWebhookSignature