#!/bin/bash
# Test GitHub webhook endpoint with signature verification
WEBHOOK_SECRET="${GITHUB_WEBHOOK_SECRET:-test_secret_123}"
URL="http://localhost:9999/webhooks/github"
# Sample GitHub release webhook payload
PAYLOAD='{
"action": "published",
"release": {
"tag_name": "v1.0.0",
"name": "Version 1.0.0",
"html_url": "https://github.com/test/repo/releases/tag/v1.0.0"
},
"repository": {
"full_name": "test/repo",
"html_url": "https://github.com/test/repo"
},
"sender": {
"login": "testuser"
}
}'
# Generate HMAC signature
SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | sed 's/^.* //')
echo "Testing webhook endpoint..."
echo "Secret: $WEBHOOK_SECRET"
echo "Payload: $PAYLOAD"
echo "Signature: sha256=$SIGNATURE"
echo ""
# Test with valid signature
echo "=== Test 1: Valid signature ==="
curl -X POST "$URL" \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: release" \
-H "X-GitHub-Delivery: test-delivery-001" \
-H "X-Hub-Signature-256: sha256=$SIGNATURE" \
-d "$PAYLOAD"
echo -e "\n"
# Test with invalid signature
echo "=== Test 2: Invalid signature (should reject) ==="
curl -X POST "$URL" \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: release" \
-H "X-GitHub-Delivery: test-delivery-002" \
-H "X-Hub-Signature-256: sha256=invalid_signature_here" \
-d "$PAYLOAD"
echo -e "\n"
# Test with missing signature
echo "=== Test 3: Missing signature (should reject) ==="
curl -X POST "$URL" \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: release" \
-H "X-GitHub-Delivery: test-delivery-003" \
-d "$PAYLOAD"
echo -e "\n"
