Initial commit

README.md

@@ -0,0 +1,58 @@
+# site-pusher
+
+Small webhook listener that deploys `egfh-website` from inside this container.
+
+The container listens on `POST /webhook`, verifies a shared secret, clones or updates `https://git.pattinson.org/jamesp/egfh-website.git` in a Docker volume, installs dependencies, and runs:
+
+```sh
+npm run deploy:worker:test
+```
+
+## Configure
+
+Add these values to `.env`:
+
+```sh
+WEBHOOK_SECRET=change-this
+WEBHOOK_SECRET_HEADER=x-webhook-secret
+DEPLOY_REPO_URL=https://git.pattinson.org/jamesp/egfh-website.git
+DEPLOY_BRANCH=main
+DEPLOY_COMMAND=npm run deploy:worker:test
+DEPLOY_DEBOUNCE_SECONDS=60
+HOST_PORT=3000
+```
+
+All existing Cloudflare, Directus, and public environment variables in `.env` are passed into the deploy container.
+
+`DEPLOY_DEBOUNCE_SECONDS` controls how long the service waits after a webhook before deploying. If more webhooks arrive during that window, the timer resets so a noisy burst becomes one deploy. If a webhook arrives while a deploy is running, one follow-up deploy is scheduled after the running deploy completes.
+
+The webhook accepts any of these auth forms:
+
+- `x-webhook-secret: <WEBHOOK_SECRET>` by default, or whatever `WEBHOOK_SECRET_HEADER` names
+- `Authorization: Bearer <WEBHOOK_SECRET>`
+- `Authorization: <WEBHOOK_SECRET>`
+- Gitea `X-Gitea-Signature` HMAC SHA-256 using `WEBHOOK_SECRET`
+
+For Gitea, either set the webhook `Authorization Header` to the same value as `WEBHOOK_SECRET`, or put that value in Gitea's `Secret` field and leave signature verification to `X-Gitea-Signature`.
+
+## Run
+
+```sh
+sudo docker compose up -d --build
+sudo docker compose logs -f site-pusher
+```
+
+Test locally:
+
+```sh
+curl -X POST http://localhost:3000/webhook \
+  -H 'content-type: application/json' \
+  -H "x-webhook-secret: $WEBHOOK_SECRET" \
+  -d '{"manual":true}'
+```
+
+Health check:
+
+```sh
+curl http://localhost:3000/healthz
+```