From eb118ebf92e08bc295a2d7449239278c8615a5c5 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 08:31:29 +0200 Subject: [PATCH] ci: re-add HMAC-SHA256 signing on orca webhook (ORCA_WEBHOOK_SECRET) --- .gitea/workflows/build-pitch-deck.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 73c51eb..357e26c 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -1,8 +1,8 @@ # Build + push pitch-deck Docker image to registry.meghsakha.com # and trigger orca redeploy on every push to main that touches pitch-deck/. # -# Orca's webhook endpoint doesn't require HMAC signing unless a secret is -# configured on the webhook (orca webhooks add doesn't set one by default). +# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET +# (must match the `secret` field in ~/.orca/webhooks.json on the orca master) name: Build pitch-deck @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout run: | - apk add --no-cache git curl + apk add --no-cache git openssl curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Build image @@ -41,14 +41,17 @@ jobs: - name: Trigger orca redeploy env: + ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github run: | SHA=$(git rev-parse HEAD) PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}" + SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') curl -sSf -k \ -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ + -H "X-Hub-Signature-256: sha256=$SIG" \ -d "$PAYLOAD" \ "$ORCA_WEBHOOK_URL" \ || { echo "Orca redeploy failed"; exit 1; }