update osm
This commit is contained in:
+35
-3
@@ -39,10 +39,18 @@ loadEnvFile()
|
||||
const PORT = Number(process.env.WEBHOOK_PORT || 3011)
|
||||
const SECRET = process.env.GITHUB_WEBHOOK_SECRET || ''
|
||||
const DISCORD_WEBHOOK_URL = process.env.DISCORD_WEBHOOK_URL || ''
|
||||
const DISCORD_INCLUDE_PATCH = /^(1|true|yes)$/i.test(String(process.env.DISCORD_INCLUDE_PATCH || ''))
|
||||
const RESTART_TARGETS = (process.env.PM2_RESTART_TARGETS || 'tssbot-web')
|
||||
.split(',')
|
||||
.map((target) => target.trim())
|
||||
.filter(Boolean)
|
||||
const ALLOWED_REFS = new Set(
|
||||
(process.env.GITHUB_WEBHOOK_REFS || 'refs/heads/main')
|
||||
.split(',')
|
||||
.map((ref) => ref.trim())
|
||||
.filter(Boolean),
|
||||
)
|
||||
const ALLOWED_REPOSITORY = (process.env.GITHUB_WEBHOOK_REPOSITORY || '').trim()
|
||||
const RESTART_AFTER_MS = 24 * 60 * 60 * 1000
|
||||
|
||||
let deploying = false
|
||||
@@ -86,7 +94,10 @@ function validGitSha(value) {
|
||||
}
|
||||
|
||||
function verifySignature(rawBody, signature) {
|
||||
if (!SECRET) return true
|
||||
if (!SECRET) {
|
||||
console.error('GITHUB_WEBHOOK_SECRET is not set — rejecting webhook')
|
||||
return false
|
||||
}
|
||||
if (!signature || !signature.startsWith('sha256=')) return false
|
||||
|
||||
const expected = `sha256=${crypto.createHmac('sha256', SECRET).update(rawBody).digest('hex')}`
|
||||
@@ -160,12 +171,14 @@ function runCapture(command, args, options = {}) {
|
||||
}
|
||||
|
||||
async function ensureBuildDependencies() {
|
||||
await run('npm', ['install', '--production=false', '--include=dev', '--include=optional'], {
|
||||
await run('npm', ['ci', '--include=dev', '--include=optional'], {
|
||||
env: {
|
||||
NODE_ENV: 'development',
|
||||
npm_config_include: 'dev,optional',
|
||||
npm_config_omit: '',
|
||||
npm_config_production: 'false',
|
||||
npm_config_fund: 'false',
|
||||
npm_config_audit: 'false',
|
||||
},
|
||||
})
|
||||
|
||||
@@ -301,7 +314,7 @@ function diffFields(diff) {
|
||||
if (diff.summary) {
|
||||
fields.push({ name: 'Diff summary', value: codeBlock(diff.summary, 'diff'), inline: false })
|
||||
}
|
||||
if (diff.patch) {
|
||||
if (DISCORD_INCLUDE_PATCH && diff.patch) {
|
||||
fields.push({ name: 'Patch preview', value: codeBlock(diff.patch, 'diff'), inline: false })
|
||||
}
|
||||
|
||||
@@ -388,6 +401,25 @@ http
|
||||
return
|
||||
}
|
||||
|
||||
const pushRef = String(push?.ref || '')
|
||||
if (!ALLOWED_REFS.has(pushRef)) {
|
||||
json(res, 202, { skipped: true, reason: `Ignoring ref ${pushRef || '(missing)'}` })
|
||||
return
|
||||
}
|
||||
|
||||
if (ALLOWED_REPOSITORY) {
|
||||
const repoFullName = String(push?.repository?.full_name || '')
|
||||
if (repoFullName !== ALLOWED_REPOSITORY) {
|
||||
json(res, 202, { skipped: true, reason: `Ignoring repository ${repoFullName || '(missing)'}` })
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if (push?.deleted) {
|
||||
json(res, 202, { skipped: true, reason: 'Ignoring branch-delete push' })
|
||||
return
|
||||
}
|
||||
|
||||
if (deploying) {
|
||||
json(res, 202, { queued: false, deploying: true })
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user