From 442e755f101b910eb17c6300fb086482fe9fc54e Mon Sep 17 00:00:00 2001
From: Anshul Patel <anshulpatel25@gmail.com>
Date: Sun, 18 Sep 2022 12:51:53 +0900
Subject: [PATCH 1/2] feat(webhook): Add `x-hub-signature-256` header

---
 README.md                                              |  1 +
 .../lambdas/webhook/src/webhook/handler.test.ts        | 10 ++++++++++
 modules/webhook/lambdas/webhook/src/webhook/handler.ts |  5 ++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5eed5f0ba2..17f7e9380f 100644
--- a/README.md
+++ b/README.md
@@ -442,6 +442,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_pool_lambda_timeout"></a> [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no |
 | <a name="input_pool_runner_owner"></a> [pool\_runner\_owner](#input\_pool\_runner\_owner) | The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `"github-actions"` | no |
+| <a name="input_queue_encryption"></a> [queue\_encryption](#input\_queue\_encryption) | Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue. | <pre>object({<br>    kms_data_key_reuse_period_seconds = number<br>    kms_master_key_id                 = string<br>    sqs_managed_sse_enabled           = bool<br>  })</pre> | <pre>{<br>  "kms_data_key_reuse_period_seconds": null,<br>  "kms_master_key_id": null,<br>  "sqs_managed_sse_enabled": true<br>}</pre> | no |
 | <a name="input_redrive_build_queue"></a> [redrive\_build\_queue](#input\_redrive\_build\_queue) | Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries. | <pre>object({<br>    enabled         = bool<br>    maxReceiveCount = number<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "maxReceiveCount": null<br>}</pre> | no |
 | <a name="input_repository_white_list"></a> [repository\_white\_list](#input\_repository\_white\_list) | List of repositories allowed to use the github app | `list(string)` | `[]` | no |
 | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | The path that will be added to role path for created roles, if not set the environment name will be used. | `string` | `null` | no |
diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
index 929f09f6d3..ebceba29aa 100644
--- a/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
+++ b/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
@@ -61,6 +61,16 @@ describe('handler', () => {
       expect(sendActionRequest).toBeCalled();
     });
 
+    it('handles workflow job events with 256 hash signature', async () => {
+      const event = JSON.stringify(workflowjob_event);
+      const resp = await handle(
+        { 'X-Hub-Signature-256': await webhooks.sign(event), 'X-GitHub-Event': 'workflow_job' },
+        event,
+      );
+      expect(resp.statusCode).toBe(201);
+      expect(sendActionRequest).toBeCalled();
+    });
+
     it('does not handle other events', async () => {
       const event = JSON.stringify(workflowjob_event);
       const resp = await handle({ 'X-Hub-Signature': await webhooks.sign(event), 'X-GitHub-Event': 'push' }, event);
diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.ts
index 08dbc51088..3ef3ef9c1c 100644
--- a/modules/webhook/lambdas/webhook/src/webhook/handler.ts
+++ b/modules/webhook/lambdas/webhook/src/webhook/handler.ts
@@ -95,7 +95,10 @@ async function verifySignature(
   body: string,
   environment: string,
 ): Promise<number> {
-  const signature = headers['x-hub-signature'] as string;
+  let signature = headers['x-hub-signature'] as string;
+  if ('x-hub-signature-256' in headers) {
+    signature = headers['x-hub-signature-256'] as string;
+  }
   if (!signature) {
     logger.error(
       "Github event doesn't have signature. This webhook requires a secret to be configured.",

From 0dff29537fa832adc71281c68b7dd976f4bc6909 Mon Sep 17 00:00:00 2001
From: Anshul Patel <anshulpatel25@gmail.com>
Date: Sun, 18 Sep 2022 13:02:49 +0900
Subject: [PATCH 2/2] feat(webhook): Add x-hub-signature-256 header

---
 modules/webhook/lambdas/webhook/src/webhook/handler.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.ts
index 3ef3ef9c1c..4ccede0376 100644
--- a/modules/webhook/lambdas/webhook/src/webhook/handler.ts
+++ b/modules/webhook/lambdas/webhook/src/webhook/handler.ts
@@ -95,9 +95,11 @@ async function verifySignature(
   body: string,
   environment: string,
 ): Promise<number> {
-  let signature = headers['x-hub-signature'] as string;
+  let signature;
   if ('x-hub-signature-256' in headers) {
     signature = headers['x-hub-signature-256'] as string;
+  } else {
+    signature = headers['x-hub-signature'] as string;
   }
   if (!signature) {
     logger.error(