Skip to main content
This feature is only available on Enterprise plan.
Webhooks allow you to notify external systems when events occur in your GoRules project. Configure webhooks to trigger CI/CD pipelines, send notifications, or integrate with third-party services when commits are made, releases are created, or change requests are updated.

Webhook list

The Webhooks page displays all configured webhooks for your project. Access it from Settings → Webhooks.

List columns

Webhook types

GoRules supports three webhook types for different integration scenarios.

REST Webhook

Send HTTP POST requests to any URL when events occur. Ideal for custom integrations, notification services, or internal APIs. Configuration:
  • URL: The endpoint that receives webhook payloads
  • Signing secret: Generated automatically for payload verification

GitHub

Trigger GitHub Actions workflows directly from GoRules events. Requires a configured GitHub integration. Configuration:
  • Repository: Select from connected GitHub repositories
  • Target Branch: Branch to dispatch the workflow on (e.g., main)
  • Workflow ID: The workflow filename or ID (e.g., deploy.yml or 12345678)

GitLab

Trigger GitLab CI/CD pipelines from GoRules events. Requires a configured GitLab integration. Configuration:
  • Repository: Select from connected GitLab repositories
GitHub and GitLab webhooks require integrations to be configured first. Click “Configure Integrations” in the webhook form to set up the connection.

Available events

Select which events trigger the webhook.

Commits (main branch)

Releases

Change Requests

Creating a webhook

  1. Go to Settings → Webhooks
  2. Click “Create webhook”
  3. Enter a description
  4. Select the webhook type (REST Webhook, GitHub, or GitLab)
  5. Configure the target:
    • For REST: Enter the destination URL
    • For GitHub/GitLab: Select repository and workflow details
  6. Select the events to listen for
  7. Click “Create”
For REST webhooks, a signing secret is generated and displayed once after creation. Copy it immediately as it won’t be shown again.

Signing secret

REST webhooks include a signing secret for verifying payload authenticity. The secret is used to generate an HMAC signature sent with each request.

Testing webhooks

Before relying on a webhook in production, send a test request.
  1. Open the create or update webhook form
  2. In the “Test Webhook” section, select an event type
  3. Click “Send Test”
The test uses a sample payload with the test secret grl_whsec_test to verify your endpoint is reachable.

Webhook logs

View the history of webhook deliveries and troubleshoot issues.

Accessing logs

  1. Go to Settings → Webhooks
  2. Click “View Logs” on the webhook row

Log details

Each log entry shows:

Expanded log view

Click a log entry to see detailed information: Request tab:
  • URL: The destination endpoint
  • Payload: JSON data sent to the endpoint
  • Headers: Request headers including authentication
Response tab:
  • Status code: HTTP response code (e.g., 204)
  • Body: Response content from the endpoint
  • Completion time: Request duration in milliseconds

Retrying failed deliveries

If a delivery fails, click “Retry” to resend the webhook with the same payload.

Managing webhooks

Updating a webhook

  1. Click the three-dot menu on the webhook row
  2. Select “Update”
  3. Modify the configuration
  4. Click “Update”
You can change the description, events, and target configuration. The webhook type cannot be changed after creation.

Enabling or disabling

Toggle the “Active” switch in the update form to enable or disable a webhook without deleting it.

Deleting a webhook

  1. Click the three-dot menu on the webhook row
  2. Select “Delete”
  3. Confirm the deletion
Deleting a webhook is permanent. Any external systems relying on the webhook will stop receiving notifications.

Webhook payload

Webhook payloads include event details in JSON format.

Payload structure

The payload content varies by event type and includes relevant data such as commit information, release details, or change request metadata.

Request headers

Verifying webhook signatures

REST webhooks include a signing secret for verifying payload authenticity. Each request contains an X-Webhook-Signature header with an HMAC-SHA256 signature of the request body.

Signature format

The signature header uses the format sha256=<hex-encoded-hash>. Verify this against your own HMAC calculation using the webhook’s signing secret.

Node.js example

You must use the raw request body for signature verification, not the parsed JSON. If you’re using body-parser middleware, configure it to preserve the raw body:

Verification steps

  1. Extract the X-Webhook-Signature header from the request
  2. Get the raw request body (before JSON parsing)
  3. Compute HMAC-SHA256 of the raw body using your signing secret
  4. Compare the computed hash with the received signature using a timing-safe comparison
  5. Reject the request if signatures don’t match