GitHub Webhook Trigger

Receive and verify webhooks from GitHub.

Overview

The GitHub Webhook Trigger runs a workflow when GitHub delivers a webhook event to a Spojit-generated URL. It verifies the X-Hub-Signature-256 header against a shared secret so only payloads signed by your repository or organization are accepted.

Use it to react to repository activity such as pull requests, issues, pushes, releases, and workflow runs. The verified payload becomes the input to downstream nodes, which can post Slack notifications, create Monday.com tasks, kick off deployments, or run AI analysis over diffs.

What You Can Do

The GitHub Webhook Trigger receives signed event payloads from GitHub and exposes them to the workflow body:

pull_request events - opened, edited, closed, merged, reopened, review requested, labeled.
issues events - opened, edited, closed, assigned, labeled, milestoned.
push events - branch and tag pushes with commit list and author metadata.
issue_comment and pull_request_review events for comment and review activity.
release, workflow_run, check_run, and other repository or organization events you subscribe to.
X-GitHub-Event header - the event name, useful for branching workflow logic.
body - the full GitHub event JSON exposed to the workflow once the signature is verified.

Authentication

The GitHub Webhook Trigger does not call the GitHub API. Spojit verifies inbound requests using the X-Hub-Signature-256 HMAC header against the secret you configured on the GitHub side. To set this up, open the repository or organization, go to Settings -> Webhooks -> Add webhook, paste the Spojit-generated URL as the Payload URL, set Content type to application/json, and enter the same secret in both places.

Setting Up Your Connection

Go to Connections from the sidebar.
Click + Add Connection.
Search for GitHub Webhook Trigger and select it.
Enter a webhook secret. Spojit generates a webhook URL for you to copy.
Give your connection a name (for example "Acme repo webhook") and click Save.
In GitHub, go to your repository or organization Settings -> Webhooks -> Add webhook, paste the URL, set the content type to application/json, paste the same secret, and choose the events to send.
Click Add webhook. GitHub sends a ping event you can confirm in Spojit execution logs.

Using the Trigger

The workflow starts on a webhook trigger node bound to this connection. Once GitHub delivers a verified event, the workflow runs against the payload. Use {{trigger.headers["X-GitHub-Event"]}} to branch on event type and {{trigger.body}} to read fields like pull_request.title or repository.full_name.

Tips

Limit the events on the GitHub side so the workflow only fires for what you need; extra events cost executions.
Use the Recent Deliveries tab on the GitHub webhook page to replay a payload while you build the workflow.
For organization-wide automation, attach the webhook at the organization level rather than configuring each repo individually.
Add a Condition node early in the workflow on X-GitHub-Event to route different event types down different branches.

Common Pitfalls

Setting Content type to application/x-www-form-urlencoded instead of application/json breaks signature verification.
The X-Hub-Signature-256 header is signed against the raw request body; a proxy that reformats JSON will invalidate the signature.
Some events (for example pull_request) fire many sub-actions; filter on action in the payload to avoid running the workflow on every state change.
Rotating the secret in GitHub requires updating the secret in Spojit at the same time, otherwise deliveries fail.

Common Use Cases

For technical API details and field specifications, see the GitHub Webhook Trigger trigger documentation.