Using webhooks with Laravel Forge deployments

< More Blogs

Laravel Forge is a great tool for managing servers for Laravel apps. It allows you to connect your cloud provider account (AWS, Linode, Digital Ocean, etc) and then provision and deploy a pre-configured server to run your Laravel app. It requires minimal effort to get set up, and comes with a bunch of easy-to-use options for managing the server.

Forge also manages deployments for you, with either a one-click deploy or automatic deployments based on your commits. We'd recommend only ever using automatic deploys on staging sites, if at all.

Using Janitor with Laravel Forge

So where does Janitor come into all of this?

On every paid plan of Janitor you get access to webhooks. A webhook is a single, unique URL per website. Visiting that URL will trigger a full scan of all of your enabled features within Janitor.

Laravel Forge has a webhook section of its own. By adding your webhook URL to Forge you can tell Forge to trigger a visit to your Janitor webhook once a successful deployment is made.

Finding your Janitor Webhook

Each website in Janitor has its own webhook URL. To find it, log into your account and click 'Websites'. Select the website you want the webhook for.

Your webhook should be at the bottom of the page.

Not seeing your webhook? Ensure you're on a paid plan, webhooks aren't available on free plans.

Janitor-webhook

Adding your Webhook to Forge

Within Forge visit your website (not the server, but the website itself).

On the left menu you should see a menu. One of the items is Notifications, click that.

One of the sections is 'Deployment Webhooks'. Paste your Janitor Webhook in there and click Add Webhook.

That's it, you're done. Now, on that website, every time a deployment is made Forge will ping Janitor's webhook and initialise a full scan of your site.

Forge-webhooks

A note on security

The webhook contains your website ID and a unique token. The website ID is unique to the token, so you can't just change the ID to trigger scans elsewhere. However you should treat this URL and token like you would a password.

Keep it safe, don't put it online anywhere, and try to keep it out of version control if at all possible.