30 lines
976 B
Python
30 lines
976 B
Python
import os, hmac, hashlib, subprocess
|
|
from fastapi import FastAPI, Request, HTTPException
|
|
|
|
app = FastAPI()
|
|
SECRET = os.getenv("WEBHOOK_SECRET", "")
|
|
|
|
def verify(sig: str, body: bytes) -> bool:
|
|
# Gitea: X-Gitea-Signature = sha256=...
|
|
if not SECRET:
|
|
return False
|
|
mac = hmac.new(SECRET.encode(), msg=body, digestmod=hashlib.sha256).hexdigest()
|
|
expected = f"sha256={mac}"
|
|
return hmac.compare_digest(expected, sig)
|
|
|
|
@app.post("/webhook")
|
|
async def webhook(req: Request):
|
|
body = await req.body()
|
|
sig = req.headers.get("X-Gitea-Signature", "")
|
|
|
|
if not verify(sig, body):
|
|
raise HTTPException(401, "bad signature")
|
|
|
|
# 배포 스크립트 실행
|
|
# (컨테이너에 /scripts 가 마운트되어 있어야 함)
|
|
p = subprocess.run(["/scripts/deploy.sh"], capture_output=True, text=True)
|
|
if p.returncode != 0:
|
|
raise HTTPException(500, f"deploy failed:\n{p.stdout}\n{p.stderr}")
|
|
|
|
return {"ok": True, "out": p.stdout}
|