How to verify a post-receive hook request actually came from github?

Question

Github offers a way to let a URL know when a project has been updated using webhooks.

How do I verify that a post sent to my server\'s post-receive hook act

Answer 1

You can ping GitHub's Meta API to get an array of IP addresses (in CIDR notation) that the incoming service hooks will originate from and cross check them against the request's IP :

https://api.github.com/meta