see 403 in Webhook delivery <h1>Access to this site has been restricted.</h1>

[sbollap1]

Select Topic Area

Question

Body

I have a webhook configured in an org. payload url is

https://api.github.com/repos/cis-shan-sas/shan-test-repo-1/dispatches
content type is application/json
checked only the creation of repo event

and I have a workflow like this

name: Track New Repository Releases

on:
  repository_dispatch:
    types:  
      - repository

jobs:
  track-releases:
    runs-on: ubuntu-latest

    steps:
      - name: Check for new repository creation
        run: echo "New repository created!"

so far nothing special. all i want to do it to trigger this workflow when someone creates a new repo from github UI. in my org.
so the webhook is getting triggered but i am seeing an error 403 for some reason.

Cache-Control: no-cache
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 0
Body
<!DOCTYPE html>
<html>
  <head>
    <meta content="origin" name="referrer">
    <title>Forbidden &middot; GitHub</title>
    <style type="text/css" media="screen">
      body {
        background-color: #f1f1f1;
        margin: 0;
      }
      body,
      input,
      button {
        font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
      }
      .container { margin: 30px auto 40px auto; width: 800px; text-align: center; }
      a { color: #4183c4; text-decoration: none; font-weight: bold; }
      a:hover { text-decoration: underline; }
      h1, h2, h3 { color: #666; }
      ul { list-style: none; padding: 25px 0; }
      li {
        display: inline;
        margin: 10px 50px 10px 0px;
      }
      .logo { display: inline-block; margin-top: 35px; }
      .logo-img-2x { display: none; }
      @media
      only screen and (-webkit-min-device-pixel-ratio: 2),
      only screen and (   min--moz-device-pixel-ratio: 2),
      only screen and (     -o-min-device-pixel-ratio: 2/1),
      only screen and (        min-device-pixel-ratio: 2),
      only screen and (                min-resolution: 192dpi),
      only screen and (                min-resolution: 2dppx) {
        .logo-img-1x { display: none; }
        .logo-img-2x { display: inline-block; }
      }
    </style>
  </head>
  <body>

    <div class="container">
      <h1>Access to this site has been restricted.</h1>

      <p>
        <br>
        If you believe this is an error,
        please contact <a href="https://support.github.com">Support</a>.
      </p>
      <div id="s">
        <a href="https://githubstatus.com">GitHub Status</a> &mdash;
        <a href="https://twitter.com/githubstatus">@githubstatus</a>
      </div>
    </div>
  </body>
</html>

Note when I do this:

% curl \
  -X POST \
  -H "Authorization: token xxxxx " \
  -H "Accept: application/vnd.github+json" \
  -H "Content-Type: application/json" \
  -d '{"event_type":"repository"}' \
  https://api.github.com/repos/cis-shan-sas/shan-test-repo-1/dispatches
% 

I do see that the workflow is triggered under Actions in the repo. any ideas on what i am doing wrong

[ghost]

Hi. Issue is indicative of a permissions or access control problem. May be a lot of reasons for that, for example:

1. Incorrect Permissions for the GitHub Token:
   The personal access token (PAT) used to authenticate webhook requests must have the appropriate scopes. For repository webhooks, typically repo scope is required. Ensure that the token you're using has the correct permissions.

2. Webhook Configuration:
   Verify that the webhook is configured correctly in your GitHub organization settings. The payload URL should be correct, and the webhook should be set to trigger for the specific events you're interested in.

3.Repository Dispatch Event Type:
In your curl command, you're using "event_type":"repository". Ensure that this matches the event type expected in your workflow. In your workflow file, you specified types: [repository] under repository_dispatch, which should match the event_type in your dispatch request.

4.Workflow Trigger Permissions:
Check the GitHub Actions settings for the repository or organization to ensure that workflows can be triggered by repository dispatch events. There might be restrictions on who can trigger workflows.

5.IP Allow List:
If your organization has IP allow lists configured, ensure that the source IP address of the webhook is allowed. A 403 error can occur if the webhook's IP address is not on the allow list.

6.Enterprise or Organization Restrictions:
In some GitHub Enterprise or organizational settings, there might be additional restrictions on webhooks and actions. Verify with your GitHub organization or enterprise admin if there are any such restrictions that might be causing the 403 error.

7.Rate Limiting:
Although less likely for a single webhook event, ensure you're not hitting GitHub's rate limits with your requests.

8.GitHub Status and Outages:
Check GitHub Status to ensure there are no ongoing incidents that might affect webhook deliveries or actions.

[dror-g]

As @sbollap1 rightly noted - Org webhooks cannot access private repos.
As you can see from the webhook request body, the Authorization header is missing.
When included in manual Curl call - it works.

Seems there's no way to send auth token from org webhook, and even basic auth to the target (user + password) is only available if creating the org webhook using the Github API / CLI.

Bummer. And I wish this issue would get some serious attention rather than generic advice.