38 lines
1.1 KiB
Python
38 lines
1.1 KiB
Python
import os, hmac, hashlib, subprocess
|
|
from fastapi import FastAPI, Request, HTTPException
|
|
|
|
app = FastAPI()
|
|
SECRET = os.getenv("WEBHOOK_SECRET", "")
|
|
|
|
def verify(sig: str, body: bytes) -> bool:
|
|
if not SECRET or not sig:
|
|
return False
|
|
|
|
mac = hmac.new(SECRET.encode(), msg=body, digestmod=hashlib.sha256).hexdigest()
|
|
|
|
# Gitea가 보내는 포맷이 케이스별로 달라서 둘 다 허용
|
|
candidates = {mac, f"sha256={mac}"}
|
|
return any(hmac.compare_digest(sig, c) for c in candidates)
|
|
|
|
@app.post("/webhook")
|
|
async def webhook(req: Request):
|
|
body = await req.body()
|
|
|
|
# ✅ 여기(함수 안)에서 헤더 읽기
|
|
sig = (
|
|
req.headers.get("X-Gitea-Signature")
|
|
or req.headers.get("X-Hub-Signature-256")
|
|
or ""
|
|
)
|
|
|
|
if not verify(sig, body):
|
|
raise HTTPException(401, "bad signature")
|
|
|
|
# 배포 스크립트 실행
|
|
p = subprocess.run(["/bin/bash", "/scripts/deploy.sh"], capture_output=True, text=True)
|
|
if p.returncode != 0:
|
|
raise HTTPException(500, f"deploy failed:\n{p.stdout}\n{p.stderr}")
|
|
|
|
return {"ok": True, "out": p.stdout}
|
|
|