You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Webhook requests received from Forgejo/Gitea must be authenticated to prevent spoofed events from triggering Pipelines as Code actions.
The current Gitea provider behavior allows processing webhooks without verifying the request signature, creating a security gap.
Forgejo/Gitea send an HMAC-SHA256 signature of the request payload via X-Forgejo-Signature or X-Gitea-Signature, which must be validated against a configured secret.
Automated tests must cover both valid and invalid signature scenarios to ensure correctness and prevent regressions.
Deliverables:
Signature required: Reject Forgejo/Gitea webhook requests when neither X-Forgejo-Signature nor X-Gitea-Signature header is present.
Secret required: Reject Forgejo/Gitea webhook requests when no webhook secret is configured for the repository (e.g., via Repository CR/secret reference).
HMAC validation: Validate webhook signatures by computing HMAC-SHA256 over the raw request payload using the configured webhook secret and comparing to the provided signature in constant time.
Test coverage: Add unit tests for success and failure cases (valid Forgejo header, valid Gitea header, signature mismatch, invalid hex signature, missing secret, missing signature).
E2E alignment: Update Gitea/Forgejo test setup to provision a webhook secret and configure created webhooks/repositories to use it so end-to-end tests continue to pass with signature enforcement.
Description:
X-Forgejo-SignatureorX-Gitea-Signature, which must be validated against a configured secret.Deliverables:
X-Forgejo-SignaturenorX-Gitea-Signatureheader is present.