How to Test GitHub Webhooks: Complete Guide

Why GitHub Webhook Testing Matters

GitHub webhooks power some of the most critical developer workflows: CI/CD pipelines, deployment automations, code review bots, issue trackers, and notification systems. Every time code is pushed, a pull request is opened, an issue is created, or a release is published, GitHub can notify your application in real-time.

Getting these integrations wrong can have serious consequences. A misconfigured deployment webhook might skip a build. A broken PR notification webhook might leave your team uninformed about critical code changes. A failed issue webhook might prevent your project management tool from staying in sync.

Testing GitHub webhooks thoroughly during development ensures your integration handles every event type correctly, even edge cases like force pushes, draft pull requests, or deleted branches.

Key GitHub Webhook Events

Step-by-Step: Test GitHub Webhooks with Requex.me

1. Get your test URL: Visit requex.me and copy your unique webhook URL.
2. Configure GitHub: Go to your repository → Settings → Webhooks → Add webhook. Paste your Requex URL in the "Payload URL" field. Set Content type to application/json. Choose which events to receive.
3. Set a secret: Enter a webhook secret (any random string). You'll use this to verify signatures in production.
4. Trigger an event: Make a commit, open a PR, or create an issue. The webhook payload appears instantly in your Requex dashboard.
5. Inspect the payload: Click on the request to see the full JSON body, headers (including X-GitHub-Event and X-Hub-Signature-256), and delivery ID.

GitHub Webhook Signature Verification

GitHub signs each webhook delivery using your secret. The signature is sent in the X-Hub-Signature-256 header as a SHA-256 HMAC hex digest.

// Node.js verification
const crypto = require('crypto');

function verifyGitHubSignature(payload, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// Usage in Express
app.post('/webhooks/github', express.raw({type: '*/*'}), (req, res) => {
  const sig = req.headers['x-hub-signature-256'];
  if (!verifyGitHubSignature(req.body, sig, process.env.GITHUB_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  
  const event = req.headers['x-github-event'];
  const payload = JSON.parse(req.body);
  
  switch(event) {
    case 'push':
      console.log('Push to', payload.ref);
      break;
    case 'pull_request':
      console.log('PR', payload.action, payload.pull_request.title);
      break;
  }
  
  res.status(200).send('OK');
});

GitHub-Specific Tips