How to verify a post-receive hook request actually came from github?

Question

Github offers a way to let a URL know when a project has been updated using webhooks.

How do I verify that a post sent to my server\'s post-receive hook act

Answer 1

In addition to @mnml's answer, the second step could be to just call up the API and verify that the information given matches the last known commit for the project. It's the same process that OpenID uses to verify the data passed is valid.

So, first I could defeat dumb reply attacks, by just checking the IP. Next I could ask github if the information I received is correct.

GET /repos/:user/:repo/commits/:sha