site-pusher/README.md

# site-pusher

Small webhook listener that deploys `egfh-website` from inside this container.

The container listens on `POST /webhook`, verifies a shared secret, clones or updates `https://git.pattinson.org/jamesp/egfh-website.git` in a Docker volume, installs dependencies, and runs:

```sh
npm run deploy:worker:test
```

## Configure

Add these values to `.env`:

```sh
WEBHOOK_SECRET=change-this
WEBHOOK_SECRET_HEADER=x-webhook-secret
DEPLOY_REPO_URL=https://git.pattinson.org/jamesp/egfh-website.git
DEPLOY_BRANCH=main
DEPLOY_COMMAND=npm run deploy:worker:test
DEPLOY_DEBOUNCE_SECONDS=60
HOST_PORT=3000
```

All existing Cloudflare, Directus, and public environment variables in `.env` are passed into the deploy container.

`DEPLOY_DEBOUNCE_SECONDS` controls how long the service waits after a webhook before deploying. If more webhooks arrive during that window, the timer resets so a noisy burst becomes one deploy. If a webhook arrives while a deploy is running, one follow-up deploy is scheduled after the running deploy completes.

The webhook accepts any of these auth forms:

- `x-webhook-secret: <WEBHOOK_SECRET>` by default, or whatever `WEBHOOK_SECRET_HEADER` names
- `Authorization: Bearer <WEBHOOK_SECRET>`
- `Authorization: <WEBHOOK_SECRET>`
- Gitea `X-Gitea-Signature` HMAC SHA-256 using `WEBHOOK_SECRET`

For Gitea, either set the webhook `Authorization Header` to the same value as `WEBHOOK_SECRET`, or put that value in Gitea's `Secret` field and leave signature verification to `X-Gitea-Signature`.

## Run

```sh
sudo docker compose up -d --build
sudo docker compose logs -f site-pusher
```

Test locally:

```sh
curl -X POST http://localhost:3000/webhook \
  -H 'content-type: application/json' \
  -H "x-webhook-secret: $WEBHOOK_SECRET" \
  -d '{"manual":true}'
```

Health check:

```sh
curl http://localhost:3000/healthz
```