ci: re-add HMAC-SHA256 signing on orca webhook (ORCA_WEBHOOK_SECRET)

.gitea/workflows/build-pitch-deck.yml

@@ -1,8 +1,8 @@
 # Build + push pitch-deck Docker image to registry.meghsakha.com
 # and trigger orca redeploy on every push to main that touches pitch-deck/.
 #
-# Orca's webhook endpoint doesn't require HMAC signing unless a secret is
-# configured on the webhook (orca webhooks add doesn't set one by default).
+# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET
+#   (must match the `secret` field in ~/.orca/webhooks.json on the orca master)
 
 name: Build pitch-deck
 
@@ -20,7 +20,7 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          apk add --no-cache git curl
+          apk add --no-cache git openssl curl
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
 
       - name: Build image
@@ -41,14 +41,17 @@ jobs:
 
       - name: Trigger orca redeploy
         env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
           ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github
         run: |
           SHA=$(git rev-parse HEAD)
           PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}"
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
           curl -sSf -k \
             -X POST \
             -H "Content-Type: application/json" \
             -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: sha256=$SIG" \
             -d "$PAYLOAD" \
             "$ORCA_WEBHOOK_URL" \
             || { echo "Orca redeploy failed"; exit 1; }