From 3fa0e26bd165402377cee7e7adbc7d5090096b64 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Wed, 10 Jun 2026 12:18:12 +0200 Subject: [PATCH] ci(portal): sign orca webhook POST with HMAC-SHA256 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `orca webhooks add` registers a webhook it generates a signing secret by default; orca then requires X-Hub-Signature-256 on inbound POSTs (the public master at :6880 means anyone could otherwise fire a deploy by crafting the JSON body). Adds the signing step using the standard github-shaped header. The secret is consumed from a new Gitea Actions secret ORCA_WEBHOOK_SECRET on this repo — value provided out-of-band from the master. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/ci.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 21a2034..c7a6fd9 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -134,9 +134,18 @@ jobs: registry.meghsakha.com/breakpilot/portal:latest registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }} - name: trigger orca redeploy + # Signs the POST with HMAC-SHA256 over the JSON body using the + # secret orca generated when the webhook was registered. Orca's + # endpoint is publicly reachable on the master, so the signature + # gates who can fire a deploy. + env: + ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} run: | + BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' + SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')" curl -ksSf -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ - -d '{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' \ + -H "X-Hub-Signature-256: $SIG" \ + -d "$BODY" \ https://46.225.100.82:6880/api/v1/webhooks/github