47 lines
1.6 KiB
PHP
47 lines
1.6 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
// Gitea push webhook — validates HMAC-SHA256 and runs deploy-tools.sh
|
|
// Runs as the dobetternorge user via SuexecUserGroup.
|
|
|
|
define('DEPLOY_SECRET', '59defe48282805e0706e556c39ecc852c3aa5d8f2598be378c68ac4a6a4b5813');
|
|
define('DEPLOY_SCRIPT', __DIR__ . '/../../../bin/deploy-tools.sh');
|
|
define('LOG_FILE', __DIR__ . '/../../../logs/deploy-tools.log');
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
|
http_response_code(405);
|
|
exit(json_encode(['ok' => false, 'error' => 'Method not allowed']));
|
|
}
|
|
|
|
$sig = $_SERVER['HTTP_X_GITEA_SIGNATURE'] ?? '';
|
|
$raw = file_get_contents('php://input');
|
|
|
|
$expected = hash_hmac('sha256', $raw, DEPLOY_SECRET);
|
|
if (!hash_equals($expected, $sig)) {
|
|
http_response_code(403);
|
|
exit(json_encode(['ok' => false, 'error' => 'Bad signature']));
|
|
}
|
|
|
|
$payload = json_decode($raw, true);
|
|
$ref = $payload['ref'] ?? '';
|
|
if ($ref !== 'refs/heads/main') {
|
|
echo json_encode(['ok' => true, 'skipped' => true, 'ref' => $ref]);
|
|
exit;
|
|
}
|
|
|
|
// Fire-and-forget — respond immediately, deploy runs in background
|
|
$logFile = LOG_FILE;
|
|
$script = DEPLOY_SCRIPT;
|
|
$cmd = "bash {$script} >> {$logFile} 2>&1";
|
|
if (function_exists('proc_open')) {
|
|
$desc = [['pipe', 'r'], ['file', $logFile, 'a'], ['file', $logFile, 'a']];
|
|
$proc = proc_open('bash ' . escapeshellarg($script), $desc, $pipes, null, null, ['bypass_shell' => false]);
|
|
if (is_resource($proc)) proc_close($proc);
|
|
} else {
|
|
exec("{$cmd} &");
|
|
}
|
|
|
|
echo json_encode(['ok' => true, 'deploying' => true, 'ref' => $ref]);
|