Skip to main content

Documentation Index

Fetch the complete documentation index at: https://supahooks.ar27111994.dev/llms.txt

Use this file to discover all available pages before exploring further.

GitHub signs every webhook delivery with an HMAC-SHA256 signature in the X-Hub-Signature-256 header. Use the Webhook Debugger to confirm your webhook secret is correct, inspect individual push, pull request, and deployment events, and replay a specific delivery to staging without waiting for the next real trigger.

Configure the actor for GitHub

Start the actor with the following input. Replace replace_with_github_webhook_secret with the secret you set in GitHub’s webhook settings. 
{
  "urlCount": 1,
  "retentionHours": 48,
  "authKey": "github-debug-key",
  "enableJSONParsing": true,
  "maskSensitiveData": true,
  "signatureVerificationSecret": "replace_with_github_webhook_secret",
  "signatureVerification": {
    "provider": "github"
  },
  "defaultResponseCode": 200,
  "defaultResponseBody": "{\"received\":true}",
  "forwardUrl": "https://staging.example.com/github/webhooks",
  "forwardHeaders": true,
  "replayMaxRetries": 3,
  "replayTimeoutMs": 10000,
  "alerts": {
    "slack": {
      "webhookUrl": "https://hooks.slack.com/services/AAA/BBB/CCC"
    }
  },
  "alertOn": ["signature_invalid", "5xx"]
}
GitHub verification uses the X-Hub-Signature-256 header with a required sha256= prefix. The actor verifies the signature against the preserved raw request body, so the result stays valid even when enableJSONParsing is enabled. After the actor starts, call /info to retrieve the generated webhook URL.

Point your GitHub webhook at the generated URL

1

Open webhook settings

For a repository webhook, go to Settings → Webhooks → Add webhook. For a GitHub App, go to Developer settings → GitHub Apps → your app → Edit → Webhook.
2

Paste the endpoint URL

Copy the /webhook/:id URL from /info and paste it into the Payload URL field.
3

Set the content type

Set Content type to application/json.
4

Add the secret

Paste your webhook secret into the Secret field and copy the same value into signatureVerification.secret in the actor input.
5

Select events

Choose which events to send — Just the push event, Send me everything, or a custom selection that matches your CI workflow.

Inspect push, PR, and deployment events

After GitHub delivers a webhook, query /logs to see what was captured. Filter by the X-GitHub-Event header to isolate a specific event type: 
GET /logs?webhookId=wh_abc123&headers.x-github-event=push
Look up a specific delivery by the ID GitHub shows in the webhook delivery history: 
GET /logs?webhookId=wh_abc123&headers.x-github-delivery=<delivery-id>
A captured push event looks like this: 
{
  "id": "evt_8m2L5p9xR",
  "webhookId": "wh_abc123",
  "timestamp": "2026-01-30T12:00:00.000Z",
  "method": "POST",
  "statusCode": 200,
  "signatureValid": true,
  "signatureProvider": "github",
  "headers": {
    "x-github-event": "push",
    "x-github-delivery": "abc-123-def-456"
  },
  "body": {
    "ref": "refs/heads/main",
    "repository": {
      "full_name": "org/repo"
    }
  }
}
signatureValid: true confirms the actor verified X-Hub-Signature-256 against your secret. To check for signature failures: 
GET /logs?webhookId=wh_abc123&signatureValid=false

Debug CI callback failures with replay

If a CI or deployment callback reached the actor but failed downstream, check /system/metrics for forwarding error details. Once you fix the downstream target, replay the original captured delivery to staging: 
curl -X POST \
  "https://<run-id>.runs.apify.net/replay/wh_abc123/evt_8m2L5p9xR?url=https%3A%2F%2Fstaging.example.com%2Fgithub%2Fwebhooks"
The replay uses the original captured method and payload, so your staging handler receives the same delivery GitHub originally sent.
Use responseDelayMs in the actor input or append ?__status=500 to the webhook URL to simulate failure responses and test your CI error-handling paths before production changes.

Common failure patterns

SignalWhat it usually meansWhat to do
signatureValid=falseWrong webhook secret or missing sha256= prefix in the incoming headerRe-check the GitHub webhook secret and inspect the captured raw request
Missing expected action fieldThe event type doesn’t include the payload shape your workflow assumedFilter by headers.x-github-event first, then inspect the parsed body for that event family
Forwarding failuresGitHub reached the actor but forwarding to your staging bridge failed laterFix the downstream target, then replay the original delivery by log ID