2026-06-10 12:05:39 +00:00
1 changed files with 10 additions and 1 deletions
@@ -134,9 +134,18 @@ jobs:
            registry.meghsakha.com/breakpilot/portal:latest
            registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
      - name: trigger orca redeploy
+        # Signs the POST with HMAC-SHA256 over the JSON body using the
+        # secret orca generated when the webhook was registered. Orca's
+        # endpoint is publicly reachable on the master, so the signature
+        # gates who can fire a deploy.
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
        run: |
+          BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
+          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
          curl -ksSf -X POST \
            -H "Content-Type: application/json" \
            -H "X-GitHub-Event: push" \
-            -d '{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' \
+            -H "X-Hub-Signature-256: $SIG" \
+            -d "$BODY" \
            https://46.225.100.82:6880/api/v1/webhooks/github