Github Webhooks for Fun and Profit // Transparency, Inspection, and Adaptation

I’m in the middle of a fun little exploration for work that bled over into personal time. Our CI/CD pipeline runs a dependabot-ci every evening. When everything is calm and well in the world our Jenkins server is quiet. When new CVEs are published, Mr. Jenkins becomes chatty, posting failure notifications to our team’s Slack channel. The last thing developmers want to see after hours is CI failure messages in Slack.

I, like most good developers, am lazy. I don’t want to keep doing the same tasks over and over again Ground Hog Day style. When opportunities to automate away the drudgery present themselves, I pounce. This was one of those opportunities. I want to automate creation of the Jira (yes, it’s a four-letter-word) ticket required for auditing our code changes. And this is where the webhook comes into play.

Right before Jenkins posts in the Slack channel, he creates a pull request for us - similar to dependabot on Github. I can create a webhook in Github (Enterprise) and post the json payload from the pull request along to another web endpoint. From there I can parse out the compliance information, create the Jira ticket, point, prioritize, and put it into the ready column of our kanban board.

This evening when I followed along with the Github documentation I ran into a few Gotchas. The first one was trying to install ngrok on the work laptop. There aren’t real keen on proxies and when dealing with healthcare information I don’t blame them a bit. I switched to my personal machine and marched onward.

There some bumps in setting up my server to receive calls with the webhook information. Ngrok shows a default port of 80 for routing internet traffic into my machine, but the ruby webrick server doesn’t listen on port 80 by default. Webrick wants to listen on port 4567.

After a few rounds of running

ngrok http 80

and watching 503 errors it occurred to me that my plumbing was bad and that’s when I caught the difference in the port configuration.

Launching ngrok with

ngrok http 4567

enabled the webhook that I’d configured withing my Github repository to publish to my ngrok endpoint and attempt to resolve my local ruby server. My reward was a 404 response this time. Yeah! Progress.

Ngrok wasn’t lying. I configured the server to accept a post request at /payload. The Github webhook didn’t have the correct route. Once I tacked on the /payload I was able to redeliver messages from the Github webhook through the ngrok proxy to my wee-little ruby server that obediently slammed the JSON payload into my console window.

The next step is to parse out my Jira ticket title, summary, and prep a JSON payload to throw at the Jira Rest API. Before long no one on my team will need to spend a morning creating Jira tickets for dependabot pull requests that make our software more secure. #winning.