update osm

This commit is contained in:
Heidi
2026-05-16 09:35:51 +01:00
parent f36bdf3738
commit e44b263f2e
6 changed files with 310 additions and 25 deletions
+35 -3
View File
@@ -39,10 +39,18 @@ loadEnvFile()
const PORT = Number(process.env.WEBHOOK_PORT || 3011)
const SECRET = process.env.GITHUB_WEBHOOK_SECRET || ''
const DISCORD_WEBHOOK_URL = process.env.DISCORD_WEBHOOK_URL || ''
const DISCORD_INCLUDE_PATCH = /^(1|true|yes)$/i.test(String(process.env.DISCORD_INCLUDE_PATCH || ''))
const RESTART_TARGETS = (process.env.PM2_RESTART_TARGETS || 'tssbot-web')
.split(',')
.map((target) => target.trim())
.filter(Boolean)
const ALLOWED_REFS = new Set(
(process.env.GITHUB_WEBHOOK_REFS || 'refs/heads/main')
.split(',')
.map((ref) => ref.trim())
.filter(Boolean),
)
const ALLOWED_REPOSITORY = (process.env.GITHUB_WEBHOOK_REPOSITORY || '').trim()
const RESTART_AFTER_MS = 24 * 60 * 60 * 1000
let deploying = false
@@ -86,7 +94,10 @@ function validGitSha(value) {
}
function verifySignature(rawBody, signature) {
if (!SECRET) return true
if (!SECRET) {
console.error('GITHUB_WEBHOOK_SECRET is not set — rejecting webhook')
return false
}
if (!signature || !signature.startsWith('sha256=')) return false
const expected = `sha256=${crypto.createHmac('sha256', SECRET).update(rawBody).digest('hex')}`
@@ -160,12 +171,14 @@ function runCapture(command, args, options = {}) {
}
async function ensureBuildDependencies() {
await run('npm', ['install', '--production=false', '--include=dev', '--include=optional'], {
await run('npm', ['ci', '--include=dev', '--include=optional'], {
env: {
NODE_ENV: 'development',
npm_config_include: 'dev,optional',
npm_config_omit: '',
npm_config_production: 'false',
npm_config_fund: 'false',
npm_config_audit: 'false',
},
})
@@ -301,7 +314,7 @@ function diffFields(diff) {
if (diff.summary) {
fields.push({ name: 'Diff summary', value: codeBlock(diff.summary, 'diff'), inline: false })
}
if (diff.patch) {
if (DISCORD_INCLUDE_PATCH && diff.patch) {
fields.push({ name: 'Patch preview', value: codeBlock(diff.patch, 'diff'), inline: false })
}
@@ -388,6 +401,25 @@ http
return
}
const pushRef = String(push?.ref || '')
if (!ALLOWED_REFS.has(pushRef)) {
json(res, 202, { skipped: true, reason: `Ignoring ref ${pushRef || '(missing)'}` })
return
}
if (ALLOWED_REPOSITORY) {
const repoFullName = String(push?.repository?.full_name || '')
if (repoFullName !== ALLOWED_REPOSITORY) {
json(res, 202, { skipped: true, reason: `Ignoring repository ${repoFullName || '(missing)'}` })
return
}
}
if (push?.deleted) {
json(res, 202, { skipped: true, reason: 'Ignoring branch-delete push' })
return
}
if (deploying) {
json(res, 202, { queued: false, deploying: true })
return