I noticed recently that my blog(not that you need a link, if you are reading it!) has stopped automatically updating when changes are merged into the main branch. On investigation I found that Gitea has stopped including the secret in the payload (which is very good, from a security point of view) and instead now hashes the payload along with the secret and puts that value in the X-Gitea-Signature header.

Fixing this just meant replacing the match in webhook’s configuration with the appropriate new settings.

The original:

{
    "match":
    {
        "type": "value",
        "value": "SECRET_KEY_GOES_HERE",
        "parameter":
        {
            "source": "payload",
            "name": "secret"
        }
    }
}

changes to:

{
    "match":
    {
        "type": "payload-hash-sha256",
        "secret": "SECRET_KEY_GOES_HERE",
        "parameter":
        {
            "source": "header",
            "name": "X-Gitea-Signature"
        }
    }
}

This is what I get for blindly updating my software without checking the documentation: WARNING: The secret field in the payload is deprecated as of Gitea 1.13.0 and will be removed in 1.14.0: https://github.com/go-gitea/gitea/issues/11755