Chris Ashton

GitHooks.io

I came up with the idea for GitHooks.io back in January 2016. A complex technical project I persevered with on the side, I only felt it was ready in December 2016 almost a year later, when I presented the idea to the BBC’s internal monthly Web Developer Gathering (see slide deck) – the first presentation I have ever volunteered to do!

GitHooks.io is three things:

  1. A framework in which to write reusable webhooks
  2. A hosted environment to serve your webhook endpoints
  3. A platform to share your webhooks with other people

In short, GitHooks.io can be described as “webhooks as a service”.

Architecture

GitHooks.io was designed to scale, so runs on AWS infrastructure. The main website runs on an EC2 micro instance, and the computation that happens on a webhook endpoint is all executed within AWS Lambdas.

The database was originally a MySQL database running on a private network via AWS’ RDS infrastructure, but to reduce costs I have temporarily terminated this and use an SQLite database instead. Switching to the lighter database was trivial as all database communications are proxied through PDO and the database configuration is entirely YAML-config-driven (as is much of the site functionality, taking inspiration from BBC News).

I have documented in detail how GitHooks.io works here: http://githooks.io/how-it-works

Security

GitHooks.io allows developers to use the GitHub access tokens of the people who install their GitHooks (for communication with the GitHub API), without having to explicitly hand over the access token to the GitHook itself and trust them with it. It does this via an in-house authRequest Node module which automatically appends the access token only to requests made to the GitHub API.

GitHooks.io runs GitHook code inside Node virtual machines on AWS Lambda infrastructure, to sandbox arbitrary code away from the main site as much as possible.

It also has built-in infinite loop protection, by detecting how many Lambdas are requested by the same installation and over what period of time, and automatically disabling the installation if it exceeds a reasonable limit.