Add Gitea push webhook endpoint for automated deploy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/deploy-hook.php

@@ -0,0 +1,46 @@
+<?php
+declare(strict_types=1);
+
+// Gitea push webhook — validates HMAC-SHA256 and runs deploy-tools.sh
+// Runs as the dobetternorge user via SuexecUserGroup.
+
+define('DEPLOY_SECRET', '59defe48282805e0706e556c39ecc852c3aa5d8f2598be378c68ac4a6a4b5813');
+define('DEPLOY_SCRIPT', __DIR__ . '/../../../bin/deploy-tools.sh');
+define('LOG_FILE',      __DIR__ . '/../../../logs/deploy-tools.log');
+
+header('Content-Type: application/json');
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    http_response_code(405);
+    exit(json_encode(['ok' => false, 'error' => 'Method not allowed']));
+}
+
+$sig = $_SERVER['HTTP_X_GITEA_SIGNATURE'] ?? '';
+$raw = file_get_contents('php://input');
+
+$expected = hash_hmac('sha256', $raw, DEPLOY_SECRET);
+if (!hash_equals($expected, $sig)) {
+    http_response_code(403);
+    exit(json_encode(['ok' => false, 'error' => 'Bad signature']));
+}
+
+$payload = json_decode($raw, true);
+$ref     = $payload['ref'] ?? '';
+if ($ref !== 'refs/heads/main') {
+    echo json_encode(['ok' => true, 'skipped' => true, 'ref' => $ref]);
+    exit;
+}
+
+// Fire-and-forget — respond immediately, deploy runs in background
+$logFile = LOG_FILE;
+$script  = DEPLOY_SCRIPT;
+$cmd     = "bash {$script} >> {$logFile} 2>&1";
+if (function_exists('proc_open')) {
+    $desc = [['pipe', 'r'], ['file', $logFile, 'a'], ['file', $logFile, 'a']];
+    $proc = proc_open('bash ' . escapeshellarg($script), $desc, $pipes, null, null, ['bypass_shell' => false]);
+    if (is_resource($proc)) proc_close($proc);
+} else {
+    exec("{$cmd} &");
+}
+
+echo json_encode(['ok' => true, 'deploying' => true, 'ref' => $ref]);