webhook: Github - Hook rules were not satisfied.

We ran into an interesting problem and we found very hardly the “solution”. I’m not sure about should we create a discussion instead of an issue?

We configured a webhook, which worked fine from the test account (Github, “A” private repository). After we checked everything, we switched to the live account (Github, “B” private repository, same configuration for the Github Webhooks) and got the Hook rules were not satisfied error. On both repository had “main” branch, got the push event and hooks did not worked from the live account on “B” repository. The configuration and the solution below:

Github: Payload URL: https://sitename.tld/hooks/sitename Content type: application/json Secret: password SSL verification: Enable Which events…: Just the push event

/etc/webhook.conf:

[ 
  {
    "id": "sitename",
    "execute-command": "/var/scripts/deploy/sitename.sh",
    "include-command-output-in-response": false,
    "trigger-rule": {
      "and": [
        {
          "match": {
            "type": "payload-hash-sha1",
            "secret": "password",
            "parameter": {
              "source": "header",
              "name": "X-Hub-Signature"
            }
          }
        },
        {
          "match": {
            "type": "value",
            "value": "refs/heads/main",
            "parameter": {
              "source": "payload",
              "name": "ref"
            }
          }
        }
      ]
    }
  }
]

We were not able to understand - what did we do wrong? where is the problem and what is the difference between “A” and “B” repository? Started to read the Github Webhooks docs and it says:

Note: For backward-compatibility, we also include the X-Hub-Signature header that is generated using the SHA-1 hash function. If possible, we recommend that you use the X-Hub-Signature-256 header for improved security. The example below demonstrates using the X-Hub-Signature-256 header.

So, we changed the hashing: "type": "payload-hash-sha1", => "type": "payload-hash-sha256", "name": "X-Hub-Signature" => "name": "X-Hub-Signature-256"

and our problem instantly solved, we are not getting the “Hook rules were not satisfied.” error anymore.

After lot of painful hours we are happy that the problem is solved, but we would like to help the community to not waste more time like we did.

So still the question: where is the catch?

  • No difference between the configuration, nothing at all.
  • Same server
  • Different repositories, but both of them got pushes to the main branch.
  • 2 different github account, both have private repository.

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 2
  • Comments: 21

Most upvoted comments

I couldn’t make 2.6.9 work either. What eventually did work was upgrading to 2.8.0 (via snap) and then using payload-hmac-sha256 with X-Hub-Signature-256 and being sure that the webhook was using a content type of application/json.

The debug logged the following prior to me finally making it work (again this was 2.8.0):

[webhook] 2021/05/22 18:56:21 [5dd745] deploy-test got matched
[webhook] 2021/05/22 18:56:21 [5dd745] parameter node not found: ref

Thanks @robhenley, as you suggested the issue for me was that I had to change the webhook content type from the default “application/x-www-form-urlencoded” to “application/json” in GitHub settings. With this change it works for me even on the old 2.6.9 version.

Hello,

@howkymike could you please give a curl command sample that you use to execute the webhook with this configuration ?

Thanks Alain