diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 219c3e3..73c51eb 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -1,8 +1,8 @@ # Build + push pitch-deck Docker image to registry.meghsakha.com # and trigger orca redeploy on every push to main that touches pitch-deck/. # -# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK -# (the secret printed by `orca webhooks add` on the server) +# Orca's webhook endpoint doesn't require HMAC signing unless a secret is +# configured on the webhook (orca webhooks add doesn't set one by default). name: Build pitch-deck @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout run: | - apk add --no-cache git openssl curl + apk add --no-cache git curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Build image @@ -41,18 +41,14 @@ jobs: - name: Trigger orca redeploy env: - ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }} ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github run: | - # Post a github-style push event to orca's webhook endpoint, - # signed with HMAC-SHA256 using the per-webhook secret. - PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}" - SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') + SHA=$(git rev-parse HEAD) + PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}" curl -sSf -k \ -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ - -H "X-Hub-Signature-256: sha256=$SIG" \ -d "$PAYLOAD" \ "$ORCA_WEBHOOK_URL" \ || { echo "Orca redeploy failed"; exit 1; }