49 lines
1.4 KiB
Python
49 lines
1.4 KiB
Python
import os
|
|
import subprocess
|
|
import hmac
|
|
import hashlib
|
|
import json
|
|
from flask import Flask, request, jsonify
|
|
|
|
app = Flask(__name__)
|
|
|
|
WEBHOOK_SECRET = os.environ.get("WEBHOOK_SECRET", "change-me")
|
|
DEPLOY_SCRIPT = os.environ.get("DEPLOY_SCRIPT", "/opt/aufmassweb/deploy.sh")
|
|
|
|
def verify_signature(payload, signature):
|
|
if not signature:
|
|
return False
|
|
expected = "sha256=" + hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest()
|
|
return hmac.compare_digest(expected, signature)
|
|
|
|
@app.route("/webhook", methods=["POST"])
|
|
def webhook():
|
|
signature = request.headers.get("X-Gitea-Signature", "")
|
|
payload = request.get_data()
|
|
|
|
if not verify_signature(payload, signature):
|
|
return jsonify({"error": "invalid signature"}), 403
|
|
|
|
data = request.get_json(silent=True) or {}
|
|
ref = data.get("ref", "")
|
|
if ref != "refs/heads/main":
|
|
return jsonify({"message": f"ignored push to {ref}"}), 200
|
|
|
|
result = subprocess.run(
|
|
["bash", DEPLOY_SCRIPT],
|
|
capture_output=True, text=True, timeout=300
|
|
)
|
|
|
|
return jsonify({
|
|
"status": "ok" if result.returncode == 0 else "error",
|
|
"stdout": result.stdout,
|
|
"stderr": result.stderr,
|
|
}), (200 if result.returncode == 0 else 500)
|
|
|
|
@app.route("/health", methods=["GET"])
|
|
def health():
|
|
return jsonify({"status": "ok"})
|
|
|
|
if __name__ == "__main__":
|
|
app.run(host="0.0.0.0", port=5001)
|