Replies: 3 comments
-
👋 Hey there! There's no "official" way that I've seen to rotate webhook secrets. The method you describe of catching the error and trying it with another secret sounds like the most viable solution to me, and maybe just update the constructor to load the secret from some external key vault so you don't have to depend on rebooting. If you have the infrastructure for it, the quickest way without requiring a re-deploy would be to have a handler that listens for a change to the secret's value in a vault, then calls the REST API to update the app's secret on GitHub. There will still be a small window where you need to catch any errors in the |
Beta Was this translation helpful? Give feedback.
-
I'd love to see an example of the wrapping code if anyone implements it. |
Beta Was this translation helpful? Give feedback.
-
related issue: octokit/webhooks.js#770 |
Beta Was this translation helpful? Give feedback.
-
I am looking into my options to rotate my webhook secret without having to synchronize the probot deployment with the github settings config change.
If I am using the following settings, I will need to redeploy the probot at exactly the same time.
I suppose I could wrap the whole probot setup and verifyAndReceive functions in some error handling and try a second key if the first one fails.
I thought I would ask here if there is community wisdom around rotating the webhook secret in case I am missing some nice options?
Beta Was this translation helpful? Give feedback.
All reactions