diff --git a/app/Http/Controllers/Webhook/Github.php b/app/Http/Controllers/Webhook/Github.php
index e5a5b746e..fe49369ea 100644
--- a/app/Http/Controllers/Webhook/Github.php
+++ b/app/Http/Controllers/Webhook/Github.php
@@ -55,6 +55,9 @@ public function manual(Request $request)
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
             }
+            if (! in_array($x_github_event, ['push', 'pull_request'])) {
+                return response("Nothing to do. Event '$x_github_event' is not supported.");
+            }
             if (! $branch) {
                 return response('Nothing to do. No branch found in the request.');
             }
@@ -246,6 +249,9 @@ public function normal(Request $request)
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
             }
+            if (! in_array($x_github_event, ['push', 'pull_request'])) {
+                return response("Nothing to do. Event '$x_github_event' is not supported.");
+            }
             if (! $id || ! $branch) {
                 return response('Nothing to do. No id or branch found.');
             }
diff --git a/tests/Feature/GithubWebhookTest.php b/tests/Feature/GithubWebhookTest.php
new file mode 100644
index 000000000..aee5239fb
--- /dev/null
+++ b/tests/Feature/GithubWebhookTest.php
@@ -0,0 +1,70 @@
+<?php
+
+describe('GitHub Manual Webhook', function () {
+    test('ping event returns pong', function () {
+        $response = $this->postJson('/webhooks/source/github/events/manual', [], [
+            'X-GitHub-Event' => 'ping',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('pong');
+    });
+
+    test('unsupported event type returns graceful response instead of 500', function () {
+        $payload = [
+            'action' => 'published',
+            'registry_package' => [
+                'ecosystem' => 'CONTAINER',
+                'package_type' => 'CONTAINER',
+                'package_version' => [
+                    'target_commitish' => 'main',
+                ],
+            ],
+            'repository' => [
+                'full_name' => 'test-org/test-repo',
+                'default_branch' => 'main',
+            ],
+        ];
+
+        $response = $this->postJson('/webhooks/source/github/events/manual', $payload, [
+            'X-GitHub-Event' => 'registry_package',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('not supported');
+    });
+
+    test('unknown event type returns graceful response', function () {
+        $response = $this->postJson('/webhooks/source/github/events/manual', ['foo' => 'bar'], [
+            'X-GitHub-Event' => 'some_unknown_event',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        $response->assertOk();
+        $response->assertSee('not supported');
+    });
+});
+
+describe('GitHub Normal Webhook', function () {
+    test('unsupported event type returns graceful response instead of 500', function () {
+        $payload = [
+            'action' => 'published',
+            'registry_package' => [
+                'ecosystem' => 'CONTAINER',
+            ],
+            'repository' => [
+                'full_name' => 'test-org/test-repo',
+            ],
+        ];
+
+        $response = $this->postJson('/webhooks/source/github/events', $payload, [
+            'X-GitHub-Event' => 'registry_package',
+            'X-GitHub-Hook-Installation-Target-Id' => '12345',
+            'X-Hub-Signature-256' => 'sha256=fake',
+        ]);
+
+        // Should not be a 500 error - either 200 with "not supported" or "No GitHub App found"
+        $response->assertOk();
+    });
+});