mirror of
https://github.com/myronblair/web-dashboard
synced 2026-06-30 17:50:10 -05:00
42 lines
1.4 KiB
PHP
42 lines
1.4 KiB
PHP
<?php
|
|
/**
|
|
* GitHub Auto-Deploy Webhook
|
|
* Verifies GitHub HMAC signature, then queues the repo for git pull.
|
|
* A root cron job (/usr/local/bin/web-dashboard-deploy.sh) processes the queue every minute.
|
|
*
|
|
* WEBHOOK_SECRET must be defined — set it as a constant in a gitignored config file,
|
|
* or define it directly here for single-site use.
|
|
*/
|
|
|
|
define('WEBHOOK_SECRET', '4c8805f0285214ff0a0602b5880270b935f36a896946c7f1');
|
|
define('DEPLOY_QUEUE', '/tmp/web-dashboard-deploy.txt');
|
|
define('DEPLOY_LOG', '/home/webacct/logs/deploy.log');
|
|
define('REPO_PATH', '/home/webacct/public_html');
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
$payload = file_get_contents('php://input');
|
|
$sig = $_SERVER['HTTP_X_HUB_SIGNATURE_256'] ?? '';
|
|
$expected = 'sha256=' . hash_hmac('sha256', $payload, WEBHOOK_SECRET);
|
|
|
|
if (!hash_equals($expected, $sig)) {
|
|
http_response_code(403);
|
|
echo json_encode(['error' => 'Invalid signature']);
|
|
exit;
|
|
}
|
|
|
|
$data = json_decode($payload, true);
|
|
$ref = $data['ref'] ?? '';
|
|
$pusher = $data['pusher']['name'] ?? 'unknown';
|
|
|
|
if ($ref !== 'refs/heads/main') {
|
|
echo json_encode(['ok' => true, 'skipped' => "ref $ref is not main"]);
|
|
exit;
|
|
}
|
|
|
|
$ts = date('Y-m-d H:i:s');
|
|
file_put_contents(DEPLOY_QUEUE, REPO_PATH . "\n", FILE_APPEND | LOCK_EX);
|
|
file_put_contents(DEPLOY_LOG, "[$ts] Queued deploy by $pusher\n", FILE_APPEND | LOCK_EX);
|
|
|
|
echo json_encode(['ok' => true, 'queued' => 'web-dashboard']);
|