GitHub integration

Turn failed Actions and security alerts into phone calls and escalation

Add a signed repository or organization webhook. A failed Actions run pages your on-call; the next passing run resolves it. Code scanning, Dependabot and secret scanning alerts escalate across voice, Telegram, SMS and email.

Setup
Signed webhook
Auth
X-Hub-Signature-256
Recovery
Green resolves red

Anatomy of a GitHub alert

LIVE
GitHub → webhook
CI failed on main · run #42
WardenPoint
map conclusion · escalate · green resolves
Telegram
Voice call
Email

Setup

Three steps in GitHub

GitHub signs the webhook body with your secret — no token in the URL, no header to set.

  1. 1Step 1

    Add a webhook

    In the repository (or organization) go to Settings → Webhooks → Add webhook. Set the Payload URL to your WardenPoint endpoint and Content type to application/json.

    $ Settings › Webhooks › Add webhook
  2. 2Step 2

    Paste the secret

    Put your WardenPoint integration secret in the Secret field. GitHub signs every delivery with it and WardenPoint verifies the X-Hub-Signature-256 header — an unsigned or wrong-secret delivery is rejected.

    $ Secret › <your WardenPoint secret>
  3. 3Step 3

    Choose the events

    Select individual events: Workflow runs for CI, plus Code scanning alerts, Dependabot alerts and Secret scanning alerts for security. GitHub sends a ping first — WardenPoint acknowledges it automatically.

    $ Let me select individual events

Wire format

workflow_run webhook

GitHub posts the event with the type in the X-GitHub-Event header. WardenPoint maps the run conclusion to firing or resolved and dedupes on repository + workflow + branch.

GitHub → WardenPoint
workflow-run.jsonJSON
// workflow_run webhook (X-GitHub-Event: workflow_run)
{
"action": "completed",
"workflow_run": {
"name": "CI",
"head_branch": "main",
"conclusion": "failure",
"run_number": 42,
"event": "push",
"html_url": "https://github.com/acme/api/actions/runs/123"
},
"repository": { "full_name": "acme/api" }
}
WardenPoint fan-out
WardenPoint response202
{
"status": "queued",
"notification_uuid": "notif_8h2k7yQrxJp",
"channels_planned": [
"telegram_voice",
"voice_call",
"email"
],
"escalation_chain_id": "esc_4j2k9bMcvL"
}

Routing recipes

Three patterns for GitHub → WardenPoint

Run CI failures and security alerts through separate WardenPoint integrations, each wired to its own escalation chain.

CI

Failed run on main → phone

A workflow_run that completes with conclusion failure on your release branch maps to 'high' — phone call first, then Telegram. The next passing run on the same workflow and branch resolves it automatically.

match
conclusion = failure
→ route
severity: high
Security

Critical code scanning alert → escalate

A code scanning alert carries its own severity (security_severity_level). A critical finding pages immediately; Dependabot and secret scanning alerts route the same way.

match
security_severity_level = critical
→ route
→ security chain
Recovery

Green run posts a Resolved notice

Because CI alerts dedupe on repository + workflow + branch, a successful run marks the prior failure resolved and posts a Resolved notice to your chain — no manual close.

match
conclusion = success
→ route
→ Resolved notice

GitHub FAQ

Common GitHub integration questions

GitHub can't send custom headers, but it signs every webhook body with your secret and sends it as X-Hub-Signature-256. Put your WardenPoint integration secret in the webhook's Secret field; WardenPoint recomputes the HMAC over the raw body and rejects any delivery whose signature doesn't match. The secret never travels in the URL.
Free plan

Wire one repository before you depend on it

Add the webhook, fail a test workflow and read the audit line. No credit card. No production risk.

  • Signed webhook, no URL secret
  • Green run resolves red
  • CI and security alerts