site-pusher

Small webhook listener that deploys egfh-website from inside this container.

The container listens on POST /webhook, verifies a shared secret, clones or updates https://git.pattinson.org/jamesp/egfh-website.git in a Docker volume, installs dependencies, and runs:

npm run deploy:worker:test

Configure

Add these values to .env:

WEBHOOK_SECRET=change-this
WEBHOOK_SECRET_HEADER=x-webhook-secret
DEPLOY_REPO_URL=https://git.pattinson.org/jamesp/egfh-website.git
DEPLOY_BRANCH=main
DEPLOY_COMMAND=npm run deploy:worker:test
DEPLOY_DEBOUNCE_SECONDS=60
HOST_PORT=3000

All existing Cloudflare, Directus, and public environment variables in .env are passed into the deploy container.

DEPLOY_DEBOUNCE_SECONDS controls how long the service waits after a webhook before deploying. If more webhooks arrive during that window, the timer resets so a noisy burst becomes one deploy. If a webhook arrives while a deploy is running, one follow-up deploy is scheduled after the running deploy completes.

The webhook accepts any of these auth forms:

• x-webhook-secret: <WEBHOOK_SECRET> by default, or whatever WEBHOOK_SECRET_HEADER names
• Authorization: Bearer <WEBHOOK_SECRET>
• Authorization: <WEBHOOK_SECRET>
• Gitea X-Gitea-Signature HMAC SHA-256 using WEBHOOK_SECRET

For Gitea, either set the webhook Authorization Header to the same value as WEBHOOK_SECRET, or put that value in Gitea's Secret field and leave signature verification to X-Gitea-Signature.

Run

sudo docker compose up -d --build
sudo docker compose logs -f site-pusher

Test locally:

curl -X POST http://localhost:3000/webhook \
  -H 'content-type: application/json' \
  -H "x-webhook-secret: $WEBHOOK_SECRET" \
  -d '{"manual":true}'

Health check:

curl http://localhost:3000/healthz