# Receive GitHub webhook

Receive GitHub push webhook notifications. This endpoint is called by GitHub, not by users directly.

#### Headers

**`X-Hub-Signature-256`** string required

GitHub webhook signature for verification

**`X-GitHub-Event`** string required

Event type (must be "push")

**`Content-Type`** string required · `application/json`

#### Request Body

GitHub push event payload (automatically sent by GitHub)

## Returns

Returns 200 OK if the webhook is successfully processed.

## Authentication

This endpoint does NOT require JWT authentication. It verifies the webhook signature instead using HMAC-SHA256.

GitHub Configuration
Configure the webhook in your GitHub repository settings:

1. Go to **Settings** → **Webhooks** → **Add webhook**
2. Set **Payload URL**: `https://api.aitronos.com/v1/streamline/webhooks/github`
3. Set **Content type**: `application/json`
4. Set **Secret**: Your webhook secret (provided by Freddy)
5. Select **Just the push event**
6. Click **Add webhook**


Example Payload
GitHub automatically sends this payload structure:


```json
{
  "ref": "refs/heads/main",
  "before": "def456abc123",
  "after": "abc123def456",
  "repository": {
    "id": 123456789,
    "name": "repo",
    "full_name": "owner/repo",
    "html_url": "https://github.com/owner/repo"
  },
  "pusher": {
    "name": "username",
    "email": "user@example.com"
  },
  "commits": [
    {
      "id": "abc123def456",
      "message": "Update automation code",
      "timestamp": "2025-11-15T10:30:00Z",
      "author": {
        "name": "Author Name",
        "email": "author@example.com"
      }
    }
  ]
}
```

Testing Webhook
Test the webhook from GitHub:


```bash
# View recent webhook deliveries in GitHub UI
# Settings → Webhooks → Recent Deliveries

# Or use GitHub CLI
gh api repos/owner/repo/hooks
```


```python
# Verify webhook signature (for reference)
import hmac
import hashlib

def verify_signature(payload_body, signature_header, secret):
    """Verify GitHub webhook signature"""
    hash_object = hmac.new(
        secret.encode('utf-8'),
        msg=payload_body,
        digestmod=hashlib.sha256
    )
    expected_signature = "sha256=" + hash_object.hexdigest()
    return hmac.compare_digest(expected_signature, signature_header)
```


```javascript
// Verify webhook signature (for reference)
const crypto = require('crypto');

function verifySignature(payloadBody, signatureHeader, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = 'sha256=' + hmac.update(payloadBody).digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(digest),
    Buffer.from(signatureHeader)
  );
}
```

**Response:**

200 OK

```json
{
  "status": "success",
  "message": "Webhook processed successfully"
}
```

400 Bad Request

```json
{
  "success": false,
  "error": {
    "code": "INVALID_INPUT",
    "message": "Invalid event type. Only 'push' events are supported",
    "status": 400,
    "trace_id": "req_d4a118e7"
  }
}
```

401 Unauthorized

```json
{
  "success": false,
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "Invalid webhook signature",
    "status": 401,
    "trace_id": "req_bf0fa421"
  }
}
```