platform/portal
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/portal:feat/env-driven-apex-hosts
Branches Tags
platform/portal:main platform/portal:feat/env-driven-apex-hosts platform/portal:ci/registry-meghsakha-orca-webhook platform/portal:feat/m10.2-design-system platform/portal:feat/m5.2-shells
..
pull from: platform/portal:ci/registry-meghsakha-orca-webhook
Branches Tags
platform/portal:main platform/portal:feat/env-driven-apex-hosts platform/portal:ci/registry-meghsakha-orca-webhook platform/portal:feat/m10.2-design-system platform/portal:feat/m5.2-shells

2 Commits
feat/env-driven-apex-hosts .. ci/registry-meghsakha-orca-webhook

Author SHA1 Message Date
Sharang Parnerkar 3fa0e26bd1 ci(portal): sign orca webhook POST with HMAC-SHA256
ci / shared (pull_request) Successful in 13s
Details
ci / test (pull_request) Successful in 10m17s
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details 
When `orca webhooks add` registers a webhook it generates a signing
secret by default; orca then requires X-Hub-Signature-256 on inbound
POSTs (the public master at :6880 means anyone could otherwise fire
a deploy by crafting the JSON body).

Adds the signing step using the standard github-shaped header. The
secret is consumed from a new Gitea Actions secret ORCA_WEBHOOK_SECRET
on this repo — value provided out-of-band from the master.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-10 12:18:12 +02:00
Sharang Parnerkar 8fc4dc09c9 ci(portal): retarget image build to registry.meghsakha.com + orca webhook
ci / shared (pull_request) Successful in 14s
Details
ci / test (pull_request) Successful in 10m17s
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details 
The previous CI pushed to registry.breakpilot.com (the future prod
registry that doesn't exist yet) and tried to call `orca apply`, a
CLI shape this orca version doesn't ship. Repointing to the live
infrastructure:

- registry: registry.meghsakha.com
- image path: breakpilot/portal (sibling of breakpilot/compliance-*)
- tags: :latest (for the webhook-driven deploy) + :sha-<sha> (traceability)
- redeploy: POST github-style payload to the orca webhook on the master,
  matching the pattern documented in orca-infra/WEBHOOKS.md

The webhook must be registered once on the master:
  orca webhooks add --repo platform/portal \
                    --service breakpilot-portal --branch main

CI also needs REGISTRY_USER + REGISTRY_PASS set on this Gitea repo's
Actions secrets — same htpasswd-backed creds the master uses today.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-10 12:12:44 +02:00
2 changed files with 28 additions and 22 deletions
Expand all files Collapse all files
.gitea/workflows/ci.yaml
+27 -8
View File
@@ -108,6 +108,15 @@ jobs:
PLAYWRIGHT_TEST_PASS: ${{ secrets.STAGE_TEST_PASS }}
image:
# Builds the portal image and ships it through the same path every
# other service in orca-infra uses: push :latest + :sha-<sha> to
# registry.meghsakha.com, then POST a github-style payload to the
# orca webhook so the master pulls and redeploys breakpilot-portal.
#
# Webhook target (registered once on the master via
# orca webhooks add --repo platform/portal \
# --service breakpilot-portal --branch main
# ) accepts unsigned payloads — orca matches on repo + branch.
needs: [shared, test]
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
runs-on: docker
@@ -115,18 +124,28 @@ jobs:
- uses: actions/checkout@v4
- uses: docker/login-action@v3
with:
registry: registry.breakpilot.com
registry: registry.meghsakha.com
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASS }}
- uses: docker/build-push-action@v6
with:
push: true
tags: |
registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
registry.breakpilot.com/${{ github.event.repository.name }}:env-stage
- uses: anchore/sbom-action@v0
with:
image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
- run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
registry.meghsakha.com/breakpilot/portal:latest
registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
- name: trigger orca redeploy
# Signs the POST with HMAC-SHA256 over the JSON body using the
# secret orca generated when the webhook was registered. Orca's
# endpoint is publicly reachable on the master, so the signature
# gates who can fire a deploy.
env:
ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
run: |
BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
curl -ksSf -X POST \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: push" \
-H "X-Hub-Signature-256: $SIG" \
-d "$BODY" \
https://46.225.100.82:6880/api/v1/webhooks/github
src/lib/host.ts
+1 -14
View File
@@ -11,20 +11,7 @@ export type HostMatch =
| { kind: "unknown" };
// Longest-first so `stage.breakpilot.com` is matched before `breakpilot.com`.
// Built-ins cover dev (localhost) + the canonical breakpilot.com targets.
// PORTAL_APEX_HOSTS is a comma-separated env override for per-environment
// hosts (e.g. portal-dev.meghsakha.com while breakpilot.com isn't registered).
const APEX_HOSTS = (() => {
const base = ["stage.breakpilot.com", "breakpilot.com", "localhost"];
const extra = (process.env.PORTAL_APEX_HOSTS ?? "")
.split(",")
.map((h) => h.trim().toLowerCase())
.filter(Boolean);
// Longest-first to keep the suffix-strip loop correct.
return Array.from(new Set([...extra, ...base])).sort(
(a, b) => b.length - a.length,
);
})();
const APEX_HOSTS = ["stage.breakpilot.com", "breakpilot.com", "localhost"];
const APEX_SET = new Set(APEX_HOSTS);
export function parseHost(host: string | null | undefined): HostMatch {