App webhook
POST /webhook/{app}
POST
/webhook/{app}
Receives push events from GitHub or Forgejo. Validates the HMAC signature, checks the branch, and queues the app for reconciliation.
Unknown app IDs are logged and ignored (still returns 200).
Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ” app
required
string
Example
my-appApp ID
Header Parameters
Section titled “Header Parameters ” X-Hub-Signature-256
required
string
Example
sha256=abc123...HMAC-SHA256 signature of the request body
X-GitHub-Event
required
string
Example
pushEvent type (only push is processed)
Request Body required
Section titled “Request Body required ”GitHub/Forgejo webhook payload
object
Responses
Section titled “ Responses ”Webhook processed (queued if known app + matching branch)
Invalid or missing signature
HOLDEN_WEBHOOK_SECRET not configured