Setting Up a GitHub Webhook with NGINX and Ubuntu
As I set up my new site + blog I took some notes on the process that might be helpful or interesting to share as a reference.
These steps are how I configured this site to deploy whenever I push changes to its GitHub repository. For these instructions I am using the Zola static site generator, a virtual private server running Ubuntu and NGINX hosted on Linode, and GitHub. However, the general concept applies to any script you want to run as a response to a webhook event.
Step 1: Write your automation script
Create a script. Here's a sample for my site, used from the excellent tutorial at osc.garden.
#!/usr/bin/env bash
project_dir="/path/to/project-directory"
out_dir="/path/to/output-directory"
Make the file executable:
Notes: It probably goes without saying, but make sure you install all the tools and files used for your script / project. In my case this involves:
- Zola —
sudo snap install --edge zola - GitHub CLI — see install instructions in documentation; authenticate with
gh auth loginand follow the steps - GitHub repository cloned to project directory —
gh repo clone your-github-username/your-repo-name
I saved the script in a directory where I'll put related files for the project.
Step 2: Install webhook
Webhook is available on GitHub. This is what will listen for the webhook event from github and run the script.
Step 3: Create a hooks.json file
Create a hooks.json file in your project directory with the following content:
Notes:
idis part of the URL that the webhook server listens on - name this something descriptive!execute-commandis the script to run when the webhook is firedtrigger-ruleis a configuration that can be set up to require the incoming webhook request to contain a specific payload; this is a form of security so that only requests with the correct secret are handled by the webhook server (that said, please read the webhook docs if you are unsure about anything - this is not security advice!)- you can provide a passphrase here under
secret - you can provide the hash to use under
type - seriously please look at the webhook docs
- you can provide a passphrase here under
Step 4: Set up NGINX as a proxy
You can run webhook using the following command: /path/to/webhook -hooks /path/to/your-git-repo/hooks.json -verbose. It will start up on port 9000 and provide you with one HTTP endpoint.
If you wanted to, you could open port 9000 on your server / firewall and set up TLS certificates so webhook can use HTTPS. However! I opted to use NGINX as a proxy instead. I already have NGINX set up with my TLS certificates, the firewall is already configured, etc. So, I used the following NGINX configuration:
location /hooks/ {
proxy_pass http://localhost:9000/hooks/;
}
Note: I chose to use localhost instead of 127.0.0.1 or ::1 because I will let my server figure out whether to use IPv4 or IPv6. Networking!
Step 5: Set up webhook as a service
Create a webhook.service file in /etc/systemd/system/webhook.service with the following content:
Description=Webhook for
After=network.target
Type=simple
User=your-username
ExecStart=/usr/bin/webhook
Restart=on-failure
RestartSec=5s
StandardOutput=journal
StandardError=journal
Restart=always
WantedBy=multi-user.target
Enable and start the service:
Verify that the service is running:
Having this run as a service is important so it starts up after server reboots — keeping your server ready to receive webhook calls!
Step 6: Set up webhook in GitHub
Go to your GitHub repository settings, navigate to Webhooks, and add a new webhook with the following details:
- Payload URL: https://your-site.com/hooks/your-webhook-url
- Content type: application/json
- Secret: your-secret-token
Step 7: Deploy!
And there you have it! Your webhook is set to automatically run whenever you push changes to your repository. Have fun!