"action": review_requested hooks cause Drone to reply with "message":"Invalid or malformed webhook"

Expected Behavior

Builds and status checks are submitted to Drone when a push is made against a PR.

Actual Behavior

Some pr hooks fail, some push hooks fail. Drone response with the body:

{"message":"Invalid or malformed webhook"}

Steps to Reproduce

GitHub Enterprise (GHE) Server 2.19.4

  1. Create a repository in GHE
  2. Activate the repository via Drone
  3. Create a branch in git, create a .drone.yml file with a noop step like echo “hello world”
  4. Push the branch
  5. Create a PR for the branch in GHE
  6. Add a reviewer to the PR
  7. Finish creating the PR
  8. Make another change in the git repo (anything that will cause the drone file to get re-run)
  9. Push that change


This error is visible from the GHE Repository > Settings > Hooks > Recently Delivered hooks section. pull_request and “push” actions work just fine.

This also failed when using Drone v1.2.3.

Drone setup details:


I was unable to reproduce with GitHub (I do not have GitHub Enterprise). Can you provide a copy of the webhook payload that is causing issues? You should be able to retrieve a copy from the recently delivered webhooks section. We can add a unit test that runs the webhook through our parser [1] to see if we can reproduce the error.

[1] https://github.com/drone/go-scm/blob/master/scm/driver/github/webhook_test.go#L21

also, only the following hooks should be selected:

  • Branch or tag deletion
  • Branch or tag creation
  • Deployments (this may or may not be selected, depending on version of Drone)
  • Pull Request
  • Pushes

can you confirm no other boxes were manually selected?

Confirmed, those are the only actions selected. We let Drone activate the actions, nobody has manually edited them.
Working on a redacted payload

thanks for confirming. I just sent you a DM in case you want provide me the payload in private.

Added GHE server version to the body

Also seeing this for:

“action”: “assigned” and “unassigned”

Working: “labeled”, “unlabeled”, “edited”, “locked”, “unlocked”

A bit more clarification on the actual issue we’re having:

I suppose the main issue is that, while this failed in both versions: v1.2.3 and v1.9.0, only with 1.9.0 does it fail to report the status of the build back to GHE. We have status checks to ensure that linting and builds succeed before merges go through back to the main branch. But because Drone 1.9.0 isn’t updating GHE that the status completed, GHE still sees the job as pending and thus doesn’t let the merge occur. However, Drone 1.2.3 appears to have done this, even though the webhook was malformed, which… we’re still not sure what’s going on with this.

It sounds like perhaps these are two separate issues. The action, assigned, review_requested and unassigned webhooks should not throw a parsing error, however, they should still be ignored by the system. Since these event types are ignored and do not trigger a build, they would not set a status. Only pull request opened and synchronize events would trigger a build and set a state. So if there is a problem with status being set, I am not sure it would be related to issues parsing these particular hook types.

Drone was able to parse the sample webhook you provided.

It turns out that instead of ignoring unsupported actions and returning a 200 response, the system is returning the Invalid or malformed webhook error. This results in webhook errors in your webhook management screen in GitHub. This is misleading and needs to be fixed (edit: here is the fix) but this does not prevent Drone from functioning properly since these webhooks should have just been ignored.

If you are seeing issues with status updates we can help you troubleshoot, however, they would be unrelated to this particular error message.

Understood. We’ll keep digging.