ci: drop HMAC signing (orca webhooks have no secret by default)
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 33s
CI / test-python-voice (push) Successful in 31s
CI / test-bqas (push) Successful in 32s
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 33s
CI / test-python-voice (push) Successful in 31s
CI / test-bqas (push) Successful in 32s
This commit is contained in:
Sharang Parnerkar
@@ -1,8 +1,8 @@
|
|||||||
# Build + push pitch-deck Docker image to registry.meghsakha.com
|
# Build + push pitch-deck Docker image to registry.meghsakha.com
|
||||||
# and trigger orca redeploy on every push to main that touches pitch-deck/.
|
# and trigger orca redeploy on every push to main that touches pitch-deck/.
|
||||||
#
|
#
|
||||||
# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
|
# Orca's webhook endpoint doesn't require HMAC signing unless a secret is
|
||||||
# (the secret printed by `orca webhooks add` on the server)
|
# configured on the webhook (orca webhooks add doesn't set one by default).
|
||||||
|
|
||||||
name: Build pitch-deck
|
name: Build pitch-deck
|
||||||
|
|
||||||
@@ -20,7 +20,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
run: |
|
run: |
|
||||||
apk add --no-cache git openssl curl
|
apk add --no-cache git curl
|
||||||
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
||||||
|
|
||||||
- name: Build image
|
- name: Build image
|
||||||
@@ -41,18 +41,14 @@ jobs:
|
|||||||
|
|
||||||
- name: Trigger orca redeploy
|
- name: Trigger orca redeploy
|
||||||
env:
|
env:
|
||||||
ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }}
|
|
||||||
ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github
|
ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github
|
||||||
run: |
|
run: |
|
||||||
# Post a github-style push event to orca's webhook endpoint,
|
SHA=$(git rev-parse HEAD)
|
||||||
# signed with HMAC-SHA256 using the per-webhook secret.
|
PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}"
|
||||||
PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}"
|
|
||||||
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
|
|
||||||
curl -sSf -k \
|
curl -sSf -k \
|
||||||
-X POST \
|
-X POST \
|
||||||
-H "Content-Type: application/json" \
|
-H "Content-Type: application/json" \
|
||||||
-H "X-GitHub-Event: push" \
|
-H "X-GitHub-Event: push" \
|
||||||
-H "X-Hub-Signature-256: sha256=$SIG" \
|
|
||||||
-d "$PAYLOAD" \
|
-d "$PAYLOAD" \
|
||||||
"$ORCA_WEBHOOK_URL" \
|
"$ORCA_WEBHOOK_URL" \
|
||||||
|| { echo "Orca redeploy failed"; exit 1; }
|
|| { echo "Orca redeploy failed"; exit 1; }
|
||||||
|
|||||||
Reference in New Issue
Block a user