adds webhook secret capability

Signed-off-by: Collin McNeese <[email protected]>
collinmcneese · Jan 6, 2023 · 412cd9e · 412cd9e
1 parent b42bd5b
commit 412cd9e
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -8,6 +8,13 @@ This repository is a work-in-progress.  See [TODOs](#todos)
 
 ## Usage
 
+### Inputs
+
+- `target-url`: **String**, **Required**, The target URL destination where webhook event payloads will be reflected to.
+- `webhook-secret`: **String**, **Optional**, Secret data value to use for webhook payload.  Populates `X-Hub-Signature` and `X-Hub-Signature-256` header values. See [Securing Your Webhooks](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks) for additional context.
+
+### Example
+
 Example workflow for consuming reflector:
 
 ```yaml
@@ -23,7 +30,7 @@ jobs:
     - name: GitHub Actions Reflector
       uses: collinmcneese/github-actions-reflector@main
       with:
-        targetUrl: 'http://172.17.0.1:8080/github-webhook/'
+        target-url: 'http://172.17.0.1:8080/github-webhook/'
 ```
 
 ## Why Does This Exist?

diff --git a/action.yml b/action.yml
@@ -5,13 +5,12 @@ branding:
   icon: 'fast-forward'
   color: 'blue'
 inputs:
-  targetUrl:
+  target-url:
     description: 'The event target URL.'
     required: true
-  runner-label:
-    description: 'The runner label to use.'
+  webhook-secret:
+    description: 'The secret to use for signing the event payload.'
     required: false
-    default: 'self-hosted'
 runs:
   using: 'node16'
   main: 'dist/index.js'
diff --git a/dist/index.js b/dist/index.js
@@ -42455,8 +42455,15 @@ var __webpack_exports__ = {};
 const core = __nccwpck_require__(9991);
 const github = __nccwpck_require__(6140);
 const request = __nccwpck_require__(1265);
+const crypto = __nccwpck_require__(6113);
+
+// Parse inputs
+const targetUrl = core.getInput('target-url');
+const webhookSecret = core.getInput('webhook-secret');
 
 async function reflector({context, targetUrl}) {
+  let payloadJson = JSON.stringify(context.payload, undefined, 2);
+
   // Validate that targetUrl is a valid URL
   const URL = (__nccwpck_require__(7310).URL);
 
@@ -42471,6 +42478,8 @@ async function reflector({context, targetUrl}) {
 
   validateUrl(targetUrl);
 
+  // Build request options
+  // Include the signature in the headers, if a webhookSecret was provided
   let options = {
     url: targetUrl,
     method: 'POST',
@@ -42479,9 +42488,15 @@ async function reflector({context, targetUrl}) {
       'Content-Type': 'application/json',
       'Content-Length': context.payload.length,
     },
-    body: JSON.stringify(context.payload),
+    body: payloadJson,
   };
 
+  // Build GitHub signature headers with secret
+  if (webhookSecret) {
+    options.headers['X-Hub-Signature'] = `sha1=${crypto.createHmac('sha1', webhookSecret).update(payloadJson).digest('hex')}`;
+    options.headers['X-Hub-Signature-256'] = `sha256=${crypto.createHmac('sha256', webhookSecret).update(payloadJson).digest('hex')}`;
+  }
+
   // Send the request
   return new Promise((resolve, reject) => {
     console.log(`Sending payload to ${targetUrl} with options: ${JSON.stringify(options.headers)}`);
@@ -42498,7 +42513,8 @@ async function reflector({context, targetUrl}) {
   });
 };
 
-reflector({context: github.context, targetUrl: core.getInput('targetUrl')}).then((result) => {
+// Run the Reflector action
+reflector({context: github.context, targetUrl: targetUrl}).then((result) => {
   console.log(result);
 
   core.summary

diff --git a/index.js b/index.js
@@ -3,8 +3,15 @@
 const core = require('@actions/core');
 const github = require('@actions/github');
 const request = require('request');
+const crypto = require('crypto');
+
+// Parse inputs
+const targetUrl = core.getInput('target-url');
+const webhookSecret = core.getInput('webhook-secret');
 
 async function reflector({context, targetUrl}) {
+  let payloadJson = JSON.stringify(context.payload, undefined, 2);
+
   // Validate that targetUrl is a valid URL
   const URL = require('url').URL;
 
@@ -19,6 +26,8 @@ async function reflector({context, targetUrl}) {
 
   validateUrl(targetUrl);
 
+  // Build request options
+  // Include the signature in the headers, if a webhookSecret was provided
   let options = {
     url: targetUrl,
     method: 'POST',
@@ -27,9 +36,15 @@ async function reflector({context, targetUrl}) {
       'Content-Type': 'application/json',
       'Content-Length': context.payload.length,
     },
-    body: JSON.stringify(context.payload),
+    body: payloadJson,
   };
 
+  // Build GitHub signature headers with secret
+  if (webhookSecret) {
+    options.headers['X-Hub-Signature'] = `sha1=${crypto.createHmac('sha1', webhookSecret).update(payloadJson).digest('hex')}`;
+    options.headers['X-Hub-Signature-256'] = `sha256=${crypto.createHmac('sha256', webhookSecret).update(payloadJson).digest('hex')}`;
+  }
+
   // Send the request
   return new Promise((resolve, reject) => {
     console.log(`Sending payload to ${targetUrl} with options: ${JSON.stringify(options.headers)}`);
@@ -46,7 +61,8 @@ async function reflector({context, targetUrl}) {
   });
 };
 
-reflector({context: github.context, targetUrl: core.getInput('targetUrl')}).then((result) => {
+// Run the Reflector action
+reflector({context: github.context, targetUrl: targetUrl}).then((result) => {
   console.log(result);
 
   core.summary

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "github-actions-reflector",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "",
   "main": "app.js",
   "scripts": {