import os, hmac, hashlib, subprocess
from fastapi import FastAPI, Request, HTTPException

app = FastAPI()
SECRET = os.getenv("WEBHOOK_SECRET", "")

def verify(sig: str, body: bytes) -> bool:
    if not SECRET or not sig:
        return False

    mac = hmac.new(SECRET.encode(), msg=body, digestmod=hashlib.sha256).hexdigest()

    # Gitea가 보내는 포맷이 케이스별로 달라서 둘 다 허용
    candidates = {mac, f"sha256={mac}"}
    return any(hmac.compare_digest(sig, c) for c in candidates)

@app.post("/webhook")
async def webhook(req: Request):
    body = await req.body()

    # ✅ 여기(함수 안)에서 헤더 읽기
    sig = (
        req.headers.get("X-Gitea-Signature")
        or req.headers.get("X-Hub-Signature-256")
        or ""
    )

    if not verify(sig, body):
        raise HTTPException(401, "bad signature")

    # 배포 스크립트 실행
    p = subprocess.run(["/scripts/deploy.sh"], capture_output=True, text=True)
    if p.returncode != 0:
        raise HTTPException(500, f"deploy failed:\n{p.stdout}\n{p.stderr}")

    return {"ok": True, "out": p.stdout}