tchajed
commented
1 month ago Signing the hooks is not necessary. Running the server with an empty WEBHOOK_SECRET causes it to ignore verification already (due to google/go-github), and this is already what happens when running without the production environment dotenvx private key.
I added some data from pushes, captured from the bot's log on GitHub. Next we need a script to read that data and push it.
Ideally this could all be composed into a unit test but capturing and comparing the output automatically requires more infrastructure, because the server does rely on the docker container to set up Python correctly, and then the output just goes to stdout.
Capture a few interesting GitHub pushes, save them, and add a simple script to POST them to the local server for testing.
It would be great to also automate signing the hooks, so that they continue to work if some parameters are manually tweaked or if the secret changes. I'd rather have the requests signed even in testing than add a development flag that doesn't check the signature, since signature verification is handled by a library.