[caseysoftware]

Have you considered ngrok? You can open up a private tunnel from your local environment (local machine, container, device, whatever) to the public internet in seconds. Then you can layer on IP restrictions and even webhook verification to block any traffic not from your provider of choice. It's as simple as:

ngrok http 80 --verify-webhook=slack --verify-webhook-secret=[secret]

with a ton of providers out of the box: https://ngrok.com/docs/cloud-edge#webhook-verification

Also, we recently launched https://webhooks.fyi/ to serve as a community resource to capture patterns & practices around webhook implementations. That's a github pages site so pull requests welcome!

Disclosure: I work at ngrok and helped create webhooks.fyi :)

[gz5]

ngrok free is great for smaller scale, as you describe.

openziti simplifies scale:

+ mTLS

+ zero trust w/ inbound firewall rule of deny-all (rather than ACLs)

+ private DNS w/ wildcard domains

note: mTLS, wildcard domains etc are in ngrok $900/user annual plan but these are free for foss like the OpenZiti solution used by OP (and maybe free for other solutions too?)

[ChicagoBoy11]

Disclosure: I have never paid for ngrok but have used it sporadically for many years for some quick tunneling use-cases. It feels... magical, and a joy to use. OP, if it fits your use-case, would recommend giving them a try!

[qrkourier]

That's useful that ngrok has centralized webhook verification! It's meaningful security for the first hop from GitHub to ngrok.