James Pattinson
1.8 KiB
site-pusher
Small webhook listener that deploys egfh-website from inside this container.
The container listens on POST /webhook, verifies a shared secret, clones or updates https://git.pattinson.org/jamesp/egfh-website.git in a Docker volume, installs dependencies, and runs:
npm run deploy:worker:test
Configure
Add these values to .env:
WEBHOOK_SECRET=change-this
WEBHOOK_SECRET_HEADER=x-webhook-secret
DEPLOY_REPO_URL=https://git.pattinson.org/jamesp/egfh-website.git
DEPLOY_BRANCH=main
DEPLOY_COMMAND=npm run deploy:worker:test
DEPLOY_DEBOUNCE_SECONDS=60
HOST_PORT=3000
All existing Cloudflare, Directus, and public environment variables in .env are passed into the deploy container.
DEPLOY_DEBOUNCE_SECONDS controls how long the service waits after a webhook before deploying. If more webhooks arrive during that window, the timer resets so a noisy burst becomes one deploy. If a webhook arrives while a deploy is running, one follow-up deploy is scheduled after the running deploy completes.
The webhook accepts any of these auth forms:
x-webhook-secret: <WEBHOOK_SECRET>by default, or whateverWEBHOOK_SECRET_HEADERnamesAuthorization: Bearer <WEBHOOK_SECRET>Authorization: <WEBHOOK_SECRET>- Gitea
X-Gitea-SignatureHMAC SHA-256 usingWEBHOOK_SECRET
For Gitea, either set the webhook Authorization Header to the same value as WEBHOOK_SECRET, or put that value in Gitea's Secret field and leave signature verification to X-Gitea-Signature.
Run
sudo docker compose up -d --build
sudo docker compose logs -f site-pusher
Test locally:
curl -X POST http://localhost:3000/webhook \
-H 'content-type: application/json' \
-H "x-webhook-secret: $WEBHOOK_SECRET" \
-d '{"manual":true}'
Health check:
curl http://localhost:3000/healthz