Search
My Cart

Vendors

Webhooks

Tag a release on your repo, the platform ingests it. The webhook is registered automatically when you add a package - no manual setup in the normal flow.

What it does

Webhooks are how Packagento finds out about your new releases. When you push a semver tag (for example v1.4.2) to a connected repository, GitHub or GitLab calls Packagento. Packagento verifies the signature on the call, fetches the release, runs the automated checks, and makes the release available to buyers.

What events matter

Only tag-push events trigger version ingest. Branch pushes, pull requests, comments, deploys, and "release created" events are deliberately ignored - tags are the canonical signal that a version is ready to publish. The platform parses the tag with strict semver, so v1.4.2 and 1.4.2 work; non-semver tags (nightly, staging, latest) are accepted by the receiver but skipped at the ingest stage.

When the hook is created

When you add a package on My packages from a connected GitHub or GitLab repository, Packagento calls the provider API using the credentials you connected on Git integrations and creates one webhook on that repo. Each hook is one-per-package: it carries its own randomly generated secret, stored encrypted at rest, and is pinned to that package only. A validated payload from one repo cannot ingest into a different package even if two packages happen to share the same provider repo id.

One path skips the auto-register step. If the connected credentials lack the webhook-management permission, registration fails silently and the package is saved without a hook; reconnect the provider with the missing permission, then re-add the package or get in touch through our contact form.

Verify it worked

Open the repo on GitHub (Settings → Webhooks) or GitLab (Settings → Webhooks) and look for a hook pointing at your Packagento install. Confirm it is enabled. After you push your next tag, GitHub's "Recent Deliveries" panel and GitLab's "Edit → Recent events" list show whether the call was accepted (200) or rejected. The Packagento side of the same event appears in your activity feed, with the release's automated checks following shortly after.

Security and failed deliveries

Every delivery is verified before it is processed. Auto-registered hooks always have a per-package secret. A mismatch returns 403 immediately and is recorded so the platform can spot tampering or a stale webhook configuration. Do not edit the webhook URL or secret manually on the provider side; deleting and re-creating the hook keeps both sides in sync.

Retries and duplicate deliveries

Providers retry failed deliveries on transient errors. Packagento dedupes on the provider's own delivery ID: a retry of an already-handled event returns 200 immediately and does not double-ingest. If a delivery returned 5xx and your provider has given up entirely, push the tag again or re-deliver the event from the provider UI. The ingest itself is also idempotent on the (package, tag) pair, so a fresh delivery for a tag that was already ingested is a safe no-op.

Recovering a broken hook

Use this path when:

  • the webhook was deleted on the repo by mistake;
  • the connected provider credential was rotated or its permissions changed;
  • you suspect the secret has leaked;
  • you are seeing persistent 403s on previously-working deliveries.

The package detail page carries a "Rotate Webhook" action under Ingest Activity for any package added through a connected Git provider. Use it to delete the upstream hook and create a fresh one with a new secret. If the rotate action is not available (for example a paste-URL package, or the connected credential has lost its hook-management permission), get in touch through our contact form with the package name and Packagento will handle it manually.

Troubleshooting

  • Tag pushed, no release appeared: confirm the tag is on the repository connected to this package (not a fork) and that the tag name parses as semver. Then check the provider's recent-deliveries log for a 200 and look at your activity feed for the matching ingest entry.
  • 403 Invalid signature: the secret on the provider side no longer matches what Packagento expects. Contact support to mint a fresh secret.
  • 200 received but no release published: ingest succeeded but one of the automated checks may have failed. Open the release page; the Quality tab lists the per-rule failures.
  • Hook missing entirely: typically caused by the connected credential losing the webhook-management permission. Reconnect the provider on Git integrations and contact support to re-create the hook.

Stripe webhooks (subscription renewals, refunds, payout state) are managed by Packagento; no vendor action is needed. See Stripe payouts for payout questions.