import os, hmac, hashlib, subprocess
from fastapi import FastAPI, Request, HTTPException

app = FastAPI()
SECRET = os.getenv("WEBHOOK_SECRET", "")

def verify(sig: str, body: bytes) -> bool:
    # Gitea: X-Gitea-Signature = sha256=...
    if not SECRET:
        return False
    mac = hmac.new(SECRET.encode(), msg=body, digestmod=hashlib.sha256).hexdigest()
    expected = f"sha256={mac}"
    return hmac.compare_digest(expected, sig)

@app.post("/webhook")
async def webhook(req: Request):
    body = await req.body()
    sig = req.headers.get("X-Gitea-Signature", "")

    if not verify(sig, body):
        raise HTTPException(401, "bad signature")

    # 배포 스크립트 실행
    # (컨테이너에 /scripts 가 마운트되어 있어야 함)
    p = subprocess.run(["/scripts/deploy.sh"], capture_output=True, text=True)
    if p.returncode != 0:
        raise HTTPException(500, f"deploy failed:\n{p.stdout}\n{p.stderr}")

    return {"ok": True, "out": p.stdout}