Hello

I have used self hosted runner which runs on windows instead of ubuntu. The runner is running successfully but when the actions gets triggered it throws following error

Run distributhor/workflow-webhook@v3
Error: Container action is only supported on Linux

Please help me with above error

When support arrives for cached docker images on GitHub (estimated mid-November 2020), do what's necessary to get it working

Am trying to call Azure pipeline with access token. Which means I need to pass only password in webhook_auth, something like webhook_auth: ":ACCESSTOKEN", and this fails with 401

I've noticed that our webhook that uses this action stopped working. After some investigation, I've found out that the signature is not valid anymore. Testing with the Docker image directly, I've found that it works with v3.0.3, but not in v3.0.4. I assume it is related to the changes in entrypoint.sh.

We're using our homemade https://github.com/gbv/github-webhook-handler for handling webhooks from GitHub. The signature validation code is here and it works perfectly for webhook requests coming directly from GitHub.

Hi there, thank you for this project. I'm currently working on a server side implementation, that is supposed to receive a webhook and recreate a docker container.

While taking a look at your code, I've found multiple security problems. I don't think they are too bad for most people but still I feel like they should be addressed. I will open an issue for each of them, to help with organizing them, even though they are kind of related to each other. I'm sorry for spamming you with issues, but I think it's worth it.

The current implementation does not verify SSL certificates, if I correctly understand the curl docs on option -k. This parameter was introduced in 16b7ccd as a response to #3.

I can see how some people do not have the time, patience or even the option to use verifiable SSL certificates, but I do and so will others.

I believe there are two ways to fix this issue (both using an additional argument verify-ssl: [bool] similar to silent: [bool]):

1. Remove -k-option by default and only add it, if an additional argument verify-ssl: false is added to the workflow config. This would have the benefit that the most secure option is used by default, but might break other peoples' workflows if they use unsigned certificates and would require them to update their workflow config.
2. Add an additional argument verify-ssl: true to remove the -k -option. This would at least allow people like me to verify their SSL certificates, without breaking any existing workflows. If this route is taken, it should at least be mentioned in README.md in my opinion, to warn other users.

Personally I'd prefer option 1 as it will default new users' workflows to verify their SSL certificates, but I do understand if you don't want to break any existing workflows. Just keep in mind that fixing this now might be easier than fixing it when even more people use this workflow and it actually becomes a serious security issue for some.

Latest feature of returning the results to output introduced a failure when there's a multiline response in v3.0.2.

As per this discussion and the official docs, multiline responses need to be handled accordingly.

Expected

Action to complete successfully.

Received

Webhook Request ID: a7c49923-05c1-4b44-8f8c-2aa661dc9ef5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
...

Error: Unable to process file command 'output' successfully.
Error: Invalid format '***'

I want to write an action that produces data that gets submitted to a webhook by workflows, but the data in general is too large to put in an action output (GitHub Actions produces an "out of memory" error). It would be useful to be able to upload a file to the webhook. I believe this can be done with curl using the -F flag (see https://everything.curl.dev/http/multipart#file-input).

If the endpoint returns an error status (like 500) then no response body is shown. If I manually hit the endpoint with the same data, I get an expected error message describing the problem with the payload.

The expectation here is that if there is response data and verbose is on, then I should see the response data even if the server returned a non-200 code.

(note: originally this issue was about it not showing in general. What was actually happening is that this other issue was making it seem like there was a general problem)

As mentioned in #21 a lot of information is published using --verbose/-v by default.

This includes the headers sent, including X-Hub-Signature and X-Hub-Signature-256. If I do understand the algorithm correctly this signature is used to verify the request body only.

Since the default payload is pretty predictable (source: README.md) :

{
    "event": "push",
    "repository": "owner/project",
    "commit": "a636b6f0861bbee98039bf3df66ee13d8fbc9c74",
    "ref": "refs/heads/master",
    "head": "",
    "workflow": "Build and deploy"
}

and the signature/ hash is logged publically, I do believe that it would be an easy one to replay this request. The server (at least my current implementation) would think this is a genuine request from GitHub.

There is no way to inject malicious data or similar, since that would change and therefore invalidate the signature, but this could make it way easier to DDoS my service that recreates a docker container. Just sending unauthorized requests should have minimal performance impact, but if a genuine message is replayed, my service would try to recreate the container over and over, which would hit really badly performance wise.

This is not too bad at the moment as not the complete URL is logged, but I do believe that many people use URLs similar to https://test.com/webhooks or similar predictable URLs. If #21 is taken care of and --verbose is not the default anymore, the issue would only affect people explicitly using the verbose: true option and their old workflow logs (but I believe those are deleted anyway after 3 months).

There are multiple ways to address this issue:

1. Send a salt with each request:
   To prevent this problem from affecting me I will use an additional salt that is stored as a secret and is therefore private. This makes it impossible (or at least way harder) to replay the request, as part of the body is unknown.

       - name: Invoke deployment hook
         uses: distributhor/workflow-webhook@v1     
         env:
           webhook_url: ${{ secrets.WEBHOOK_URL }}
           webhook_secret: ${{ secrets.WEBHOOK_SECRET }}
           data: '{ "salt": "${{ secrets.WEBHOOK_SALT }}" }'

   Similarly adding other data, that is not publically available or predictable makes this attack way harder and therefore unreasonable. You could also add some sort of unique request ID (e.g. a random UUID) that is sent with each request.
2. Verify that each request is only processed once on the receiving side:
   If the receiving side stores some identifier (e.g. the commit SHA, or even better aforementioned unique request ID) and makes sure that each request is only handled once, replay attacks are not useful anymore. It might be a good idea to state this somehere in README.md.

Hi there,

I'm integrating this action (thanks!) but noticed since my endpoint isn't quite ready, that the action takes 2 minutes to fail.

curl: (28) Failed to connect to mydomain.com port 443 after 130061 ms: Operation timed out

Would you be open to adding an option for --connect-timeout with a friendly default of 10 seconds? That would help save time/expense when developing workflows...

I was getting a 403 error in the log. I thought this was because I had my web server only accept POST, but even with GET enabled, I still get the 403 error. It looks like it's doing a POST in any case. Turns out this is because the User-Agent header has duplicate text in it, which causes some web servers to block the request.

This is a cool project. When implementing in a CI workflow, it seems that the docker image is built every time, although it never changes within my project. This adds an ~30sec step to each of my builds that could be avoided with caching.

Would it be possible to cache the built image as an artifact on Github Packages? This would greatly accelerate the build.

The webhook generates a requestId property in the body of the payload. This is great because it could be used to correlate the request in the system that is processing the webhook call. However, this requestId is not logged from workflow-webhook.

My suggestion is to log requestId (if not in silent mode) so that you can look at the Actions run to get the requestId and then correlate it to the invoked system's logs.

Run distributhor/[email protected]
/usr/bin/docker run --name ghcriodistributhorworkflowwebhookcontainerv301_3[7]--workdir /github/workspace --rm -e "webhook_url" -e "webhook_secret" -e "INPUT_WEBHOOK_URL" -e "INPUT_WEBHOOK_SECRET" -e "INPUT_WEBHOOK_AUTH" -e "INPUT_WEBHOOK_TYPE" -e "INPUT_VERBOSE" -e "INPUT_SILENT" -e "INPUT_TIMEOUT" -e "INPUT_VERIFY_SSL" -e "INPUT_EVENT_NAME" -e "INPUT_DATA" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/feathr/feathr":"/github/workspace" ghcr.io/distributhor/workflow-webhook-container:v3.0.1
Webhook Request ID: 402485ab-f1cd-4cab-bf7f-b6c4f14d55b0
curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information

Hello,

I have a Jenkins server which is configured to use a Self-Signed SSL certificate. When I try to trigger a Jenkins Job using this action, it is failing due to the following error. Is it possible to override SSL validation?

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it.
To learn more about this situation and how to fix it, please visit the web page mentioned above.

I have a webhook I need to call that does not accept JSON, only form data. Is it possible to provide a data value that is not JSON?

Usually regular github webhook send the X-Github-Delivery header with a UUID as a value and applications that integrate with github webhooks usually check for such value.

I did not see a way to modify the creation of a uuid or to send a custom request header with the uuid.

example of request from a webhook in github:

Accept: */*
content-type: application/json
User-Agent: GitHub-Hookshot/5ab4b44
X-GitHub-Delivery: 11eb8e80-3f7f-11ed-8e05-b5a152a893a5
X-GitHub-Event: pull_request```

Use-case if the webhook already has a "password" in the URL.

The current implementation of the curl command does not include the -L option to follow redirects. This behavior is causing issues with some Zero Trust integrations, which rely on handling redirects correctly to function properly.

Description

I would like to be able to consume the response returned by the webhook action. Often times it includes details that I need to complete my automation task, or other information that can be surfaced. I've opened a pull request to add this functionality #38 .

Current values are not url encoded

Some improvements can be made to curl failures are handled, and how that bubbles up

I'd like to have another log level between --verbose/ -v and --silent/ -s.

Currently, it is possible to pick between -v (default) and -s with the silent: [bool] parameter in the workflow config. Both of these options don't fit my needs:

• --verbose/ -v logs a lot of information to the publically available workflow runs, that I do not want to be available including the domain of the webhook_url that I (as suggested in README.md) explicitly used a secret for. Also the resolved IP address is logged. This opens the door for DDoS attacks and makes hacking the machine one step easier.
• --silent/ -s doesn't log anything (but I think this is obvious 😄), not even the response code.

Not specifying either -v or -s does log a minimal amount of output which would be enough for me to debug most issues, but little enough to not compromise on privacy.

Example output (on windows, but it should be similar on alpine): curl: (22) The requested URL returned error: 403 Forbidden. That's all.

I think the best way to address this issue is to add another option verbose: [bool] similar to silent: [bool].

Once again (as in #20), I do believe this new log level should be the default, but your opinion and that of other users might vary. Depending on your opinion the default value could be verbose: true or verbose: false.

Having the new log level as the default would also make fixing #22 way less critical.

The official GitHub Actions for VSCode extension gives errors for a working configuration.

My step looks like this:

- name: Trigger Sync Template Webhook
  uses: distributhor/[email protected]
  env:
    webhook_url: ${{ secrets.TEMPLATE_WEBHOOK_URL }}

I get this message: Missing required inputs: 'webhook_url', 'webhook_secret'

It's worth noting that it says that the webhook_secret is a required input, the docs here say otherwise.

My fix is to do this:

- name: Trigger Sync Template Webhook
  uses: distributhor/[email protected]
  env:
    webhook_url: ${{ secrets.TEMPLATE_WEBHOOK_URL }}
  # For some reason I get the red wigglies if I don't have this
  # ...they're ignored, and the above variable is actually used
  with:
    webhook_url: unused
    webhook_secret: unused

The error