We are excited to announce the launch of ghook2pubsub, a lightweight, stateless ingestion service designed to bridge the gap between GitHub webhooks and Google Cloud Platform (GCP) Pub/Sub. Released on March 1, 2026, ghook2pubsub provides a secure and efficient way to stream GitHub event data into your GCP ecosystem, enabling powerful downstream processing and automation.

What it does

ghook2pubsub acts as a specialized gateway for GitHub webhooks. Instead of building custom ingestion logic in every downstream service, ghook2pubsub handles the “front door” of your event pipeline. It receives incoming HTTP POST requests from GitHub, verifies their authenticity, and immediately publishes the payload to a designated GCP Pub/Sub topic.

Key capabilities include:

  • Robust Security: Ensures that only legitimate GitHub requests are processed using X-Hub-Signature-256 (HMAC-SHA256) verification and User-Agent validation.
  • Zero-Downtime Secret Rotation: Supports multiple concurrent secrets, allowing you to rotate your webhook secrets without missing a single event.
  • Intelligent Metadata Enrichment: The service doesn’t just pass the payload; it extracts critical information from GitHub headers and the JSON body (such as the event type, repository, sender, and action) and attaches them as Pub/Sub attributes.
  • Reliable Delivery: Implements at-least-once delivery semantics, ensuring that GitHub receives a success response only after the message is safely committed to Pub/Sub.
  • Operational Readiness: Built for the cloud with structured JSON logging, a dedicated health check endpoint (/healthz), and a ready-to-use Docker container.

Why it matters

For teams building event-driven architectures on GCP, the “last mile” of webhook ingestion is often a source of repetitive boilerplate and security risk. ghook2pubsub solves this by providing a standardized, secure bridge.

The most significant advantage is the metadata enrichment. By promoting key fields (like gh_event or repository) to Pub/Sub attributes, downstream subscribers can use Pub/Sub’s native filtering capabilities. This means your workers only wake up for the specific events they care about, drastically reducing unnecessary compute costs and simplifying your architectural logic.

Getting Started

ghook2pubsub is designed for simplicity. It is configured entirely via environment variables and can be deployed as a container in seconds.

To get started, you’ll need a GCP project with a Pub/Sub topic and a GitHub webhook configured with a secret. You can run the service using Docker:

docker run \
  -e PUBSUB_PROJECT_ID=your-gcp-project \
  -e PUBSUB_TOPIC_ID=your-topic-id \
  -e WEBHOOK_SECRETS=your-webhook-secret \
  -p 8080:8080 \
  ghook2pubsub

We invite you to explore the repository and integrate ghook2pubsub into your event pipelines to experience a more secure and scalable way to handle GitHub webhooks.

This post was AI-generated by release-storyteller using the model unsloth/gemma-4-31B-it-GGUF:UD-Q5_K_XL on April 11, 2026, based on the v0.1.0 release of ghook2pubsub.