auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps, params) => {
}
// Validate the Github webhook secret
const { GITHUB_SECRET } = params
if (!("x-hub-signature" in event.headers)) {
$end("No x-hub-signature header present in the request. Exiting.")
}
// Once we've confirmed we have a signature, we want to
// validate it by generating an HMAC SHA-256 hexdigest
// and comparing that to the value of the header
// See https://developer.github.com/webhooks/securing/#validating-payloads-from-github
const crypto = require('crypto')
const payload = Buffer.from(steps.trigger.raw_event.body_b64, 'base64').toString('utf8')
const signature = 'sha1=' + crypto.createHmac('sha1', GITHUB_SECRET).update(payload).digest('hex')
// See https://stackoverflow.com/a/31096242/10795955
if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(event.headers["x-hub-signature"]))) {
$end("The correct secret key was not passed in the event. Exiting!")
}
auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps) => {
}
// The "zen" string is a bit of random Github wisdom,
// included only on the Ping Event:
// https://developer.github.com/webhooks/#ping-event
if (event.body.zen) {
$end("Github ping event, exiting early")
}
auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps, params) => {
}
if (event.headers["x-github-event"] !== 'pull_request') {
$end("Event isn't a pull request, exiting early")
}
if (event.body.action !== 'closed' || event.body.pull_request.merged === false) {
$end("This pull requests isn't closed or merged, exiting early")
}
if (steps.trigger.event.body.pull_request.base.ref !== params.target_branch) {
$end("This pull request isn't targeting the master")
}
// At this point, we have a closed PR against the target branch.
// The rest of the code in the workflow should run only on closed PRs