Using ClickHouse as a GitHub webhook

ClickHouse has always supported acting as a webhook endpoint, but version 25.12 adds a useful feature: HMAC-based message authentication. Now you can verify that incoming requests are actually from who you think they are before inserting any data. In this video, we set it up end to end using a real GitHub repository.

• Create a staging table that captures raw payloads and GitHub's HMAC signature from the request header
• Use a materialized view to validate each message using the new HMAC function — valid messages flow through, invalid ones get dropped
• Set up a restricted webhook_receiver user with minimal permissions (and optionally rate limits) for the endpoint
• Walk through the full GitHub webhook configuration — payload URL, content type, and secret key
• Test the setup with real push events and verify the signature filtering works as expected

→ Read the blog post