It's been a while since I've done web stuff. Did I screw up anything too horribly here?
https://github.com/ngscopeclient/scopehal-ci-scripts/blob/main/api/github-hook.php
This is a web hook that is only triggered by the 'push' event on ngscopeclient/scopehal-apps.
Goal is to ensure that
a) nobody but github can trigger builds (to prevent DoSing the CI platform with a ridiculous number of builds etc)
b) a compromise of GitHub's webhook infrastructure can trigger builds of real commits in the repo, but not run arbitrary shell commands on the CI runner or pull from an untrusted fork (i.e. no shell command injections etc in the branch/commit strings which will be fed to a zillion bash scripts downstream)
Andrew Zonenberg
npub1cd…z9vpd
2026-05-12 22:46:21 UTC
Author Public Key
npub1cddglts94qutscms0qpmk87lel9m8xku7q0wr20u2th5fxvvunqqxz9vpdSeen on
wss://relay.ditto.pubPublished at
2026-05-12 22:46:21 UTCEvent JSON
{
"id": "6ee0939f94ce2007accfd69ef652e0275da4cfd8633a2ebe677332077dc9c195",
"pubkey": "c35a8fae05a838b863707803bb1fdfcfcbb39adcf01ee1a9fc52ef44998ce4c0",
"created_at": 1778625981,
"kind": 1,
"tags": [
[
"proxy",
"https://ioc.exchange/users/azonenberg/statuses/116564032323831067",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.ditto.pub"
]
],
"content": "It's been a while since I've done web stuff. Did I screw up anything too horribly here?\n\nhttps://github.com/ngscopeclient/scopehal-ci-scripts/blob/main/api/github-hook.php\n\nThis is a web hook that is only triggered by the 'push' event on ngscopeclient/scopehal-apps.\n\nGoal is to ensure that\n\na) nobody but github can trigger builds (to prevent DoSing the CI platform with a ridiculous number of builds etc)\n\nb) a compromise of GitHub's webhook infrastructure can trigger builds of real commits in the repo, but not run arbitrary shell commands on the CI runner or pull from an untrusted fork (i.e. no shell command injections etc in the branch/commit strings which will be fed to a zillion bash scripts downstream)",
"sig": "2d7fd9a2dc05846404bf42e157776e33585dfea043e2cbe226c67ac3142143a5d4c12828dad5557b8d7dafdb4d167a6cf790f4cf0f75631df218fbda52c15673"
}