Skip to main content
Use Hookdrop as your GitHub webhook URL to capture repository events — pushes, pull requests, issues, releases, and workflow runs — and inspect every payload in real time.

Setup

1

Open webhook settings

Go to your GitHub repository, then navigate to Settings → Webhooks.
2

Add a webhook

Click Add webhook.
3

Paste your Hookdrop URL

Enter your capture URL in the Payload URL field:
https://hookdrop.dev/in/{your-token}
Replace {your-token} with the token shown on your Hookdrop dashboard.
4

Set the content type

Change Content type to application/json. This ensures Hookdrop receives a structured JSON body you can inspect directly.
5

Select events

Choose Let me select individual events and check the events relevant to your integration, or select Send me everything to capture all activity.
6

Save the webhook

Click Add webhook. GitHub fires a ping event immediately — it appears in your Hookdrop dashboard within seconds to confirm the connection is working.
GitHub sends a ping event when you first register a webhook. You don’t need to handle it explicitly — Hookdrop captures it automatically so you can confirm delivery.

Common events

EventWhen it fires
pushCode is pushed to any branch
pull_requestA pull request is opened, closed, or merged
issuesAn issue is opened or closed
releaseA new release is published
workflow_runA GitHub Actions workflow completes

Signature verification

GitHub signs every webhook request with an X-Hub-Signature-256 header. Verify it in your handler before processing any event.
github-webhook.ts
import crypto from 'crypto'

const verifyGitHubWebhook = (
  payload: string,
  signature: string,
  secret: string
): boolean => {
  const expected = `sha256=${crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex')}`

  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature)
  )
}
Set your webhook secret in GitHub under Settings → Webhooks → [your webhook] → Secret. Use the same value in your handler.
Use crypto.timingSafeEqual rather than === to compare signatures. Direct string comparison is vulnerable to timing attacks.

Testing locally

Point your GitHub webhook at your Hookdrop URL during development. Every push, PR, or issue event is captured and stored — you can replay any of them to your local handler without re-triggering the actual GitHub action.

Next: Shopify

Set up Hookdrop to capture Shopify order, product, and customer events.