GitHub webhook listener, using netcat and bash. `listen.sh` and `handler.sh` must be in the same directory. Start with `./listen.sh <port> <path-to-script> [<endpoint>]`. All files (including scripts) must be executable.

handler.sh

#!/bin/bash

# parse endpoint (only works for POST)
read request
url="${request#POST }"
url="${url% HTTP/*}"

# change this!!!
secret="top-secret"

endpoint=${2:-/}
hmac=
digest=
clen=

# parse http headers
while [ 1 ]; do
  read header
  [[ "$header" =~ 'X-Hub-Signature' ]] && hmac=$(echo $header | cut -d= -f2 | tr -d ' \n\r');
  [[ "$header" =~ 'Content-Length'  ]] && clen=$(echo $header | cut -d: -f2 | tr -d ' \n\r');
  [[ "$header" == $'\r' ]] && break;
done

# read http payload
read -r -t 10 -n $clen payload

echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\nOK\r\n\r\n"

# calculate sha1-hmac digest
digest=$(echo -n $payload | openssl sha1 -hmac $secret | cut -d= -f2 | tr -d ' \n')

# $1 is a script to execute
# $2 is endpoint to check for (default /)
[[ ! -z "$1" ]] && [[ $url == $endpoint ]] && [[ $hmac == $digest ]] && $1 "$payload"

# do some logging
echo -e "$(date)\t$hmac\t$digest\t$endpoint\t$url" >> /var/log/webhook.log

listen.sh

#!/bin/bash

# Using temporary named pipes to simulate the -e option in netcat-traditional.

pipe=/tmp/pipe

function cleanup {
  rm -f $pipe;
}
trap cleanup EXIT

[[ -e $pipe ]] || mkfifo $pipe;

while [ 1 ]; do
  nc -l $1 0<$pipe | ./$(dirname "$0")/handler.sh $2 $3 1>$pipe;
done