toil(github_hooks): check signature on all githubapp calls (#448)

radwo · web-flow · commit 5b7dffa0ba11 · 2025-07-29T13:15:50.000+02:00
## 📝 Description
check signature on all githubapp calls

## ✅ Checklist
- [x] I have tested this change
- [ ] ~This change requires documentation update~
diff --git a/github_hooks/Gemfile.lock b/github_hooks/Gemfile.lock
@@ -204,7 +204,7 @@ GEM
     matrix (0.4.2)
     method_source (1.1.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
+    mini_portile2 (2.8.9)
     minitest (5.25.4)
     multi_xml (0.7.1)
       bigdecimal (~> 3.1)
@@ -221,7 +221,7 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.8)
+    nokogiri (1.18.9)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     octokit (4.20.0)
@@ -413,7 +413,7 @@ GEM
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (1.3.2)
+    thor (1.4.0)
     tilt (2.4.0)
     timecop (0.9.10)
     timeout (0.4.3)
diff --git a/github_hooks/app/controllers/projects_controller.rb b/github_hooks/app/controllers/projects_controller.rb
@@ -22,8 +22,8 @@ def repo_host_post_commit_hook
         head :ok and return
       end
 
-      if webhook_filter.github_app_webhook?
-        signature = repo_host_request.headers["X-Hub-Signature-256"]
+      if webhook_filter.github_app_webhook? || webhook_filter.github_app_installation_webhook?
+        signature = repo_host_request.headers["X-Hub-Signature-256"] || ""
         secret = Semaphore::GithubApp::Credentials.github_app_webhook_secret
 
         if Semaphore::GithubApp::Hook.webhook_signature_valid?(secret, signature, repo_host_request.body.string) != :ok
