Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save bkruger99/a41eb7797adbd759adcedc5850a50d92 to your computer and use it in GitHub Desktop.
Save bkruger99/a41eb7797adbd759adcedc5850a50d92 to your computer and use it in GitHub Desktop.
State runner on salt-api POST from GitHub push hook

Validate and run a state when a valid GitHub hook call has been received from salt-api

Idea is that we can setup salt-api to receive hook call from GitHub, and configured run stat.sls only if the request HMAC signature matche is successful.

Unfortunately most documentation says to deactivate salt-api hooks authentication (i.e. webhook_disable_auth: True) which is not a good idea.

This Gist is about finding a way to declare which state to run based on data GitHub sends on push hook. But ONLY if the request is valid.

Skeleton defines desired logic, see below.

Problem is that I have next to no experience in Python and it goes beyond my skill set.

Help would be much appreciated.

Reproduce a POST

curl -XPOST -ski \
            -H "Content-Type: application/json"\
            -H "User-Agent: GitHub-Hookshot/renoirb"\
            -H "X-Github-Delivery: bf9d3700-ec39-11e4-87ec-abf8ab3d9134"\
            -H "X-Github-Event: push"\
            -H "X-Hub-Signature: sha1=756c2d03cdb736432072b61280194e51f11bd696"\
            --data @github_push_payload.json


Setup a reactor similar to:

# /etc/salt/master.d/reactor.conf
  - 'salt/netapi/hook/github/push':
    - /srv/salt/reactor/github/push.sls'
  port: 8080
  ssl_crt: /etc/pki/tls/certs/
  ssl_key: /etc/pki/tls/certs/
  webhook_disable_auth: True
"after": "edc70f85adb425c066f183b46879c5215147bb53",
"base_ref": null,
"before": "68b1264dc533b487c0618abffd543c86506e7d78",
"commits": [
"added": [],
"author": {
"email": "[email protected]",
"name": "Renoir Boulanger",
"username": "renoirb"
"committer": {
"email": "[email protected]",
"name": "Renoir Boulanger",
"username": "renoirb"
"distinct": true,
"id": "edc70f85adb425c066f183b46879c5215147bb53",
"message": "Testing hook on IRC 6",
"modified": [
"removed": [],
"timestamp": "2015-04-26T13:29:05-04:00",
"url": ""
"compare": "",
"created": false,
"deleted": false,
"forced": false,
"head_commit": {
"added": [],
"author": {
"email": "[email protected]",
"name": "Renoir Boulanger",
"username": "renoirb"
"committer": {
"email": "[email protected]",
"name": "Renoir Boulanger",
"username": "renoirb"
"distinct": true,
"id": "edc70f85adb425c066f183b46879c5215147bb53",
"message": "Testing hook on IRC 6",
"modified": [
"removed": [],
"timestamp": "2015-04-26T13:29:05-04:00",
"url": ""
"pusher": {
"email": "[email protected]",
"name": "renoirb"
"ref": "refs/heads/master",
"repository": {
"archive_url": "{archive_format}{/ref}",
"assignees_url": "{/user}",
"blobs_url": "{/sha}",
"branches_url": "{/branch}",
"clone_url": "",
"collaborators_url": "{/collaborator}",
"comments_url": "{/number}",
"commits_url": "{/sha}",
"compare_url": "{base}...{head}",
"contents_url": "{+path}",
"contributors_url": "",
"created_at": 1372165967,
"default_branch": "master",
"description": " static workspace version using Grunt, RoughDraft.js and automated deployment and minification",
"downloads_url": "",
"events_url": "",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "",
"full_name": "renoirb/renoirboulanger-styleguide",
"git_commits_url": "{/sha}",
"git_refs_url": "{/sha}",
"git_tags_url": "{/sha}",
"git_url": "git://",
"has_downloads": true,
"has_issues": true,
"has_pages": false,
"has_wiki": true,
"homepage": "",
"hooks_url": "",
"html_url": "",
"id": 10938692,
"issue_comment_url": "{/number}",
"issue_events_url": "{/number}",
"issues_url": "{/number}",
"keys_url": "{/key_id}",
"labels_url": "{/name}",
"language": "JavaScript",
"languages_url": "",
"master_branch": "master",
"merges_url": "",
"milestones_url": "{/number}",
"mirror_url": null,
"name": "renoirboulanger-styleguide",
"notifications_url": "{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"email": "[email protected]",
"name": "renoirb"
"private": false,
"pulls_url": "{/number}",
"pushed_at": 1430069350,
"releases_url": "{/id}",
"size": 864,
"ssh_url": "[email protected]:renoirb/renoirboulanger-styleguide.git",
"stargazers": 1,
"stargazers_count": 1,
"stargazers_url": "",
"statuses_url": "{sha}",
"subscribers_url": "",
"subscription_url": "",
"svn_url": "",
"tags_url": "",
"teams_url": "",
"trees_url": "{/sha}",
"updated_at": "2015-04-26T07:49:50Z",
"url": "",
"watchers": 1,
"watchers_count": 1
"sender": {
"avatar_url": "",
"events_url": "{/privacy}",
"followers_url": "",
"following_url": "{/other_user}",
"gists_url": "{/gist_id}",
"gravatar_id": "",
"html_url": "",
"id": 296940,
"login": "renoirb",
"organizations_url": "",
"received_events_url": "",
"repos_url": "",
"site_admin": false,
"starred_url": "{/owner}{/repo}",
"subscriptions_url": "",
"type": "User",
"url": ""
# Figure out how to get this from pillar or grains #TODO
shared_secretkey = 'foobarbazz'
import json
import hmac
def run():
Read a payload from GitHub push hook and validate it
See also:
payload = data.get('post', {})
payload_json = json.load(payload)
# GitHub also sends:
# - X-Github-Signature: sha1=...
# - X-Github-Event: push
payload_sig = data.get('headers', {}).get('X-Github-Delivery')
digest_handler =
digest = digest_handler.hexdigest()
# Check if payload_sig === digest, otherwise do nothing
# Request is coming from something that knew what to send and how to sign it, launch state.sls runner
# Get (e.g. "mygithubproject")
# Get (e.g. "renoirb")
# Call state.sls method based on a Mapping.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment