github-starred/komodo
2
0
Fork 1
mirror of https://github.com/moghtech/komodo.git synced 2026-05-05 15:34:09 -05:00
Code Issues 3.5k Packages Projects Releases 103 Wiki Activity

feature: Ablity to put a secret in GitHub webhook to make it more secure #819

New Issue
Closed
opened 2026-03-22 16:53:12 -05:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-03-22 16:53:12 -05:00
Owner
Copy Link

Originally created by @LawMixer on GitHub (Aug 9, 2024).

Being able to put a secret in GitHub webhook, so nobody can just make a request and then it won't be checked is kind of a safety and security hazard.

Example on GitHub:
https://i.imgur.com/aXm3yo4.png

Originally created by @LawMixer on GitHub (Aug 9, 2024). Being able to put a secret in GitHub webhook, so nobody can just make a request and then it won't be checked is kind of a safety and security hazard. Example on GitHub: https://i.imgur.com/aXm3yo4.png
GiteaMirror added the done label 2026-03-22 16:53:13 -05:00
GiteaMirror commented 2026-03-22 16:53:14 -05:00
Author
Owner
Copy Link

@mbecker20 commented on GitHub (Aug 9, 2024):

Hi, you can configure what to put here using the config file field webhook_secret. You can also use environment variable MONITOR_WEBHOOK_SECRET to pass it to core. See https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/config_example/core.config.example.toml#L20.

Then you just put the same value in this field on Github side (or Gitea side, whichever git provider).

Monitor will perform validation using HMAC SHA256 signature check following their procedure here: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#validating-webhook-deliveries

Monitor code: https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/bin/core/src/listener/github/mod.rs#L161

@mbecker20 commented on GitHub (Aug 9, 2024): Hi, you can configure what to put here using the config file field `webhook_secret`. You can also use environment variable MONITOR_WEBHOOK_SECRET to pass it to core. See [https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/config_example/core.config.example.toml#L20](https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/config_example/core.config.example.toml#L20). Then you just put the same value in this field on Github side (or Gitea side, whichever git provider). Monitor will perform validation using HMAC SHA256 signature check following their procedure here: [https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#validating-webhook-deliveries](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#validating-webhook-deliveries) Monitor code: [https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/bin/core/src/listener/github/mod.rs#L161](https://github.com/mbecker20/monitor/blob/59cb86d5990ffc4e8959624122c4a8bed6d74352/bin/core/src/listener/github/mod.rs#L161)
GiteaMirror commented 2026-03-22 16:53:15 -05:00
Author
Owner
Copy Link

@LawMixer commented on GitHub (Aug 9, 2024):

Oh - Could we have this in-app instead of in the configure file and the ability to change secrets per build?

@LawMixer commented on GitHub (Aug 9, 2024): Oh - Could we have this in-app instead of in the configure file and the ability to change secrets per build?
GiteaMirror commented 2026-03-22 16:53:17 -05:00
Author
Owner
Copy Link

@mbecker20 commented on GitHub (Aug 11, 2024):

It can be done, its not super high priority to me to add the secret per-build / repo / stack IMO. You can configure this on an Environment variable (MONITOR_WEBHOOK_SECRET) on core container too, don't need config file.

Why did you want to change this per build?

@mbecker20 commented on GitHub (Aug 11, 2024): It can be done, its not super high priority to me to add the secret per-build / repo / stack IMO. You can configure this on an Environment variable (MONITOR_WEBHOOK_SECRET) on core container too, don't need config file. Why did you want to change this per build?
GiteaMirror commented 2026-03-22 16:53:18 -05:00
Author
Owner
Copy Link

@LawMixer commented on GitHub (Aug 11, 2024):

Most of my projects are under organizations, which I like to seperate my secrets to my organization just a preference.

@LawMixer commented on GitHub (Aug 11, 2024): Most of my projects are under organizations, which I like to seperate my secrets to my organization just a preference.
GiteaMirror commented 2026-03-22 16:53:19 -05:00
Author
Owner
Copy Link

@mbecker20 commented on GitHub (Aug 12, 2024):

Hey, I did it in this commit: https://github.com/mbecker20/monitor/commit/8d75fa3f2f17aeba9cba63d31201bd61607fd2b3

Screenshot 2024-08-11 at 10 20 51 PM

Just use the latest build.

@mbecker20 commented on GitHub (Aug 12, 2024): Hey, I did it in this commit: [https://github.com/mbecker20/monitor/commit/8d75fa3f2f17aeba9cba63d31201bd61607fd2b3](https://github.com/mbecker20/monitor/commit/8d75fa3f2f17aeba9cba63d31201bd61607fd2b3) ![Screenshot 2024-08-11 at 10 20 51 PM](https://github.com/user-attachments/assets/e7e6e612-b967-4c66-9c98-01b45814c37a) Just use the latest build.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
2.0.0
bug
documentation
done
enhancement
help wanted
info
pull-request
Mirrored from GitHub Pull Request
 question
security
seen 👀
setup
thinking 🤔
ui
v2
No Label done
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/komodo#819
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?