Getting event for a wrong App

Hello there,

It seems at some point this weekend GitHub started deivering webhooks for other Apps to our webhook callback. The weird part is that the deliveries are properly signed with our secret, X-GitHub-Hook-Installation-Target-ID is actually our app but app field of the actual payload is not our app.

Here is an example of such event which should target GitHub Actions, but instead (or additionally) was delivered to our app.

Here are the headers:

X-GitHub-Delivery: 5b7c6820-4094-11ec-88f4-d886f23428db
X-GitHub-Event: check_suite
X-GitHub-Hook-ID: 14500388
X-GitHub-Hook-Installation-Target-ID: 3232
X-GitHub-Hook-Installation-Target-Type: integration
X-Hub-Signature: sha1=47fa6c1d9160a2535981f91530177eaffa4caf25
X-Hub-Signature-256: sha256=c4a2fb9e8b165c1f5df1a90a129d48e176f26d3fd0eea9f5c2e1f88d6becbda4

:wave: Actions Engineer here

GitHub apps are able to subscribe to different types of events depending on the permissions that have been granted. Check suite events (requested, rerequested or completed) are just one of the many types of events that can be subscribed to.

Check suites and check runs can only be created by GitHub apps so whenever there is any type of event there is corresponding app information that details who created that check run or check suite in the payload.

There are a lot of different types of GitHub apps that create check suites and check runs. Some of the most popular ones are CircleCI and Travis. GitHub Actions also behaves like a Github App when check suites and check runs are created. There is an app with the slug github-actions and the app ID corresponds to 15368 and you can see that in your screenshot. The fact that GitHub-Hook-Installation-Target-ID (the id of cirruslabs that is subscribing to events) is different from the app id of the check suite creator (actions), is totally normal and expected for apps that subscribe to check suite events.

You can also see this app information using our public APIs https://docs.github.com/en/rest/reference/checks#list-check-suites-for-a-git-reference In the example payload that is provided you can see the octoapp app with an id of 1 which corresponds to the GitHub app that created the check suite.

It is likely that someone recently enabled or started using Actions for the first time in your particular repository, which is why is why you’re seeing completed check suite events that originate from Actions now.

@konradpabjan, thanks for a quick reply! I did some further investigation and my screenshot is not accurate enough. It shows the "action": "completed" but I saw payloads with requested actions. I believe App A should not get requested payloads for App B.

Here is the payload for delivery 9c06c090-3fed-11ec-89ae-f5247a07e299:

X-GitHub-Delivery=9c06c090-3fed-11ec-89ae-f5247a07e299
X-Cloud-Trace-Context=c89a4e3078a458dd5a69b62c302a9b7b/2614782963193807418
X-GitHub-Hook-ID=14500388
User-Agent=GitHub-Hookshot/f7bdd04
X-GitHub-Hook-Installation-Target-ID=3232
X-GitHub-Event=check_suite
X-Hub-Signature=sha1=0035430d91641312fb902b458ecfe94271f6ffca
X-Hub-Signature-256=sha256=4794d800f7a7d4e9a3b1979ed2fbf4dc3b62a90d519012c1488d302079fb7718
X-GitHub-Hook-Installation-Target-Type=integration
{
   "action":"requested",
   "check_suite":{
      "id":4280878170,
      "node_id":"CS_kwDOCIlA6s7_KQRa",
      "head_branch":"211107-lintsh",
      "head_sha":"3cd987a8ef44cdfc3d7c6a94c2ab74556d3657eb",
      "status":"queued",
      "conclusion":null,
      "url":"https://api.github.com/repos/hebasto/bitcoin/check-suites/4280878170",
      "before":"f728f91e5ceff6f0fcd039fb896eb659ca6b547d",
      "after":"3cd987a8ef44cdfc3d7c6a94c2ab74556d3657eb",
      "pull_requests":[
         
      ],
      "app":{
         "id":14084,
         "slug":"appveyor",
         "node_id":"MDM6QXBwMTQwODQ=",
         "owner":{
            "login":"appveyor",
            "id":1117363,
            "node_id":"MDEyOk9yZ2FuaXphdGlvbjExMTczNjM=",
            "avatar_url":"https://avatars.githubusercontent.com/u/1117363?v=4",
            "gravatar_id":"",
            "url":"https://api.github.com/users/appveyor",
            "html_url":"https://github.com/appveyor",
            "followers_url":"https://api.github.com/users/appveyor/followers",
            "following_url":"https://api.github.com/users/appveyor/following{/other_user}",
            "gists_url":"https://api.github.com/users/appveyor/gists{/gist_id}",
            "starred_url":"https://api.github.com/users/appveyor/starred{/owner}{/repo}",
            "subscriptions_url":"https://api.github.com/users/appveyor/subscriptions",
            "organizations_url":"https://api.github.com/users/appveyor/orgs",
            "repos_url":"https://api.github.com/users/appveyor/repos",
            "events_url":"https://api.github.com/users/appveyor/events{/privacy}",
            "received_events_url":"https://api.github.com/users/appveyor/received_events",
            "type":"Organization",
            "site_admin":false
         },
         "name":"AppVeyor",
         "description":"AppVeyor is fast and easy to use Continuous Integration service for Windows and Linux developers. Free for open source projects.",
         "external_url":"https://www.appveyor.com",
         "html_url":"https://github.com/apps/appveyor",
         "created_at":"2018-06-27T00:33:01Z",
         "updated_at":"2019-07-07T22:29:41Z",
         "permissions":{
            "checks":"write",
            "contents":"read",
            "members":"read",
            "metadata":"read",
            "pull_requests":"read",
            "statuses":"write"
         },
         "events":[
            "check_run",
            "check_suite",
            "membership",
            "pull_request",
            "push"
         ]
      },
      "created_at":"2021-11-07T17:10:29Z",
      "updated_at":"2021-11-07T17:10:29Z",
      "latest_check_runs_count":0,
      "check_runs_url":"https://api.github.com/repos/hebasto/bitcoin/check-suites/4280878170/check-runs",
      "head_commit":{
         "id":"3cd987a8ef44cdfc3d7c6a94c2ab74556d3657eb",
         "tree_id":"16c0e33e3f43585bebe0ed98b272956cdfc373a4",
         "message":"test: Enable SC2046 shellcheck rule",
         "timestamp":"2021-11-07T17:09:12Z",
         "author":{
            "name":"Hennadii Stepanov",
            "email":"32963518+hebasto@users.noreply.github.com"
         },
         "committer":{
            "name":"Hennadii Stepanov",
            "email":"32963518+hebasto@users.noreply.github.com"
         }
      }
   },
   "repository":{
      "id":143212778,
      "node_id":"MDEwOlJlcG9zaXRvcnkxNDMyMTI3Nzg=",
      "name":"bitcoin",
      "full_name":"hebasto/bitcoin",
      "private":false,
      "owner":{
         "login":"hebasto",
         "id":32963518,
         "node_id":"MDQ6VXNlcjMyOTYzNTE4",
         "avatar_url":"https://avatars.githubusercontent.com/u/32963518?v=4",
         "gravatar_id":"",
         "url":"https://api.github.com/users/hebasto",
         "html_url":"https://github.com/hebasto",
         "followers_url":"https://api.github.com/users/hebasto/followers",
         "following_url":"https://api.github.com/users/hebasto/following{/other_user}",
         "gists_url":"https://api.github.com/users/hebasto/gists{/gist_id}",
         "starred_url":"https://api.github.com/users/hebasto/starred{/owner}{/repo}",
         "subscriptions_url":"https://api.github.com/users/hebasto/subscriptions",
         "organizations_url":"https://api.github.com/users/hebasto/orgs",
         "repos_url":"https://api.github.com/users/hebasto/repos",
         "events_url":"https://api.github.com/users/hebasto/events{/privacy}",
         "received_events_url":"https://api.github.com/users/hebasto/received_events",
         "type":"User",
         "site_admin":false
      },
      "html_url":"https://github.com/hebasto/bitcoin",
      "description":"Bitcoin Core integration/staging tree",
      "fork":true,
      "url":"https://api.github.com/repos/hebasto/bitcoin",
      "forks_url":"https://api.github.com/repos/hebasto/bitcoin/forks",
      "keys_url":"https://api.github.com/repos/hebasto/bitcoin/keys{/key_id}",
      "collaborators_url":"https://api.github.com/repos/hebasto/bitcoin/collaborators{/collaborator}",
      "teams_url":"https://api.github.com/repos/hebasto/bitcoin/teams",
      "hooks_url":"https://api.github.com/repos/hebasto/bitcoin/hooks",
      "issue_events_url":"https://api.github.com/repos/hebasto/bitcoin/issues/events{/number}",
      "events_url":"https://api.github.com/repos/hebasto/bitcoin/events",
      "assignees_url":"https://api.github.com/repos/hebasto/bitcoin/assignees{/user}",
      "branches_url":"https://api.github.com/repos/hebasto/bitcoin/branches{/branch}",
      "tags_url":"https://api.github.com/repos/hebasto/bitcoin/tags",
      "blobs_url":"https://api.github.com/repos/hebasto/bitcoin/git/blobs{/sha}",
      "git_tags_url":"https://api.github.com/repos/hebasto/bitcoin/git/tags{/sha}",
      "git_refs_url":"https://api.github.com/repos/hebasto/bitcoin/git/refs{/sha}",
      "trees_url":"https://api.github.com/repos/hebasto/bitcoin/git/trees{/sha}",
      "statuses_url":"https://api.github.com/repos/hebasto/bitcoin/statuses/{sha}",
      "languages_url":"https://api.github.com/repos/hebasto/bitcoin/languages",
      "stargazers_url":"https://api.github.com/repos/hebasto/bitcoin/stargazers",
      "contributors_url":"https://api.github.com/repos/hebasto/bitcoin/contributors",
      "subscribers_url":"https://api.github.com/repos/hebasto/bitcoin/subscribers",
      "subscription_url":"https://api.github.com/repos/hebasto/bitcoin/subscription",
      "commits_url":"https://api.github.com/repos/hebasto/bitcoin/commits{/sha}",
      "git_commits_url":"https://api.github.com/repos/hebasto/bitcoin/git/commits{/sha}",
      "comments_url":"https://api.github.com/repos/hebasto/bitcoin/comments{/number}",
      "issue_comment_url":"https://api.github.com/repos/hebasto/bitcoin/issues/comments{/number}",
      "contents_url":"https://api.github.com/repos/hebasto/bitcoin/contents/{+path}",
      "compare_url":"https://api.github.com/repos/hebasto/bitcoin/compare/{base}...{head}",
      "merges_url":"https://api.github.com/repos/hebasto/bitcoin/merges",
      "archive_url":"https://api.github.com/repos/hebasto/bitcoin/{archive_format}{/ref}",
      "downloads_url":"https://api.github.com/repos/hebasto/bitcoin/downloads",
      "issues_url":"https://api.github.com/repos/hebasto/bitcoin/issues{/number}",
      "pulls_url":"https://api.github.com/repos/hebasto/bitcoin/pulls{/number}",
      "milestones_url":"https://api.github.com/repos/hebasto/bitcoin/milestones{/number}",
      "notifications_url":"https://api.github.com/repos/hebasto/bitcoin/notifications{?since,all,participating}",
      "labels_url":"https://api.github.com/repos/hebasto/bitcoin/labels{/name}",
      "releases_url":"https://api.github.com/repos/hebasto/bitcoin/releases{/id}",
      "deployments_url":"https://api.github.com/repos/hebasto/bitcoin/deployments",
      "created_at":"2018-08-01T21:59:57Z",
      "updated_at":"2021-11-07T09:58:29Z",
      "pushed_at":"2021-11-07T17:10:20Z",
      "git_url":"git://github.com/hebasto/bitcoin.git",
      "ssh_url":"git@github.com:hebasto/bitcoin.git",
      "clone_url":"https://github.com/hebasto/bitcoin.git",
      "svn_url":"https://github.com/hebasto/bitcoin",
      "homepage":"https://bitcoincore.org/en/download",
      "size":191092,
      "stargazers_count":7,
      "watchers_count":7,
      "language":"C++",
      "has_issues":false,
      "has_projects":false,
      "has_downloads":false,
      "has_wiki":false,
      "has_pages":false,
      "forks_count":1,
      "mirror_url":null,
      "archived":false,
      "disabled":false,
      "open_issues_count":0,
      "license":{
         "key":"mit",
         "name":"MIT License",
         "spdx_id":"MIT",
         "url":"https://api.github.com/licenses/mit",
         "node_id":"MDc6TGljZW5zZTEz"
      },
      "allow_forking":true,
      "is_template":false,
      "topics":[
         "bitcoin-core"
      ],
      "visibility":"public",
      "forks":1,
      "open_issues":0,
      "watchers":7,
      "default_branch":"master"
   },
   "sender":{
      "login":"hebasto",
      "id":32963518,
      "node_id":"MDQ6VXNlcjMyOTYzNTE4",
      "avatar_url":"https://avatars.githubusercontent.com/u/32963518?v=4",
      "gravatar_id":"",
      "url":"https://api.github.com/users/hebasto",
      "html_url":"https://github.com/hebasto",
      "followers_url":"https://api.github.com/users/hebasto/followers",
      "following_url":"https://api.github.com/users/hebasto/following{/other_user}",
      "gists_url":"https://api.github.com/users/hebasto/gists{/gist_id}",
      "starred_url":"https://api.github.com/users/hebasto/starred{/owner}{/repo}",
      "subscriptions_url":"https://api.github.com/users/hebasto/subscriptions",
      "organizations_url":"https://api.github.com/users/hebasto/orgs",
      "repos_url":"https://api.github.com/users/hebasto/repos",
      "events_url":"https://api.github.com/users/hebasto/events{/privacy}",
      "received_events_url":"https://api.github.com/users/hebasto/received_events",
      "type":"User",
      "site_admin":false
   },
   "installation":{
      "id":8426495,
      "node_id":"MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uODQyNjQ5NQ=="
   }
}

The behavior you’re seeing is expected if you’re subscribed to Check Suite events. Any requested, rerequested or completed event will be sent regardless of the app that the check suite may have been created by. The github app creator is what information is being conveyed in the payload and it’s not indicative of who the event is for. It’s like describing who a pull request or issue was opened by.

The permissions to receive check suite events have been granted so all check suite events will be sent. There is no extra filtering for the event types that we support. An analogous example could be subscribing to issue events. Currently when an issue is opened or closed you receive all events and there is no way to filter to only receive events that were created by certain users or apps. All of them are sent and it’s up to the app to filter through and use which events are actually relevant.

This post was flagged by the community and is temporarily hidden.

We’ve been using Checks API for more than 3 years and processed millions of the events. I believe we’ve never seen this behavior but for future researchers I’ll clarify it:

If there are Apps A, B and C installed on the repository. Each one of the Apps will receive 3 "action": "requested" events for each one of the Apps (9 events in total) despite documentation mentions only a single even being sent to each of the Apps:

By default, GitHub creates a check suite automatically when code is pushed to the repository. This default flow sends the check_suite event (with requested action) to all GitHub App’s that have the checks:write permission.