From 1110804662ff27f934ffb51503ad010db29a0fb4 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Tue, 14 Apr 2026 10:14:35 -0400
Subject: [PATCH] Add deploy gating to CI pipeline

- Add deploy job gated on js-lint passing
- Deploy triggers pulse-deploy webhook on main branch only

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/lint.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 98e3cee..5d30363 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -18,3 +18,23 @@ jobs:
 
       - name: Run ESLint
         run: npx eslint --ext .js .
+
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    needs: [js-lint]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Trigger webhook
+        env:
+          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
+          GIT_REF: ${{ github.ref }}
+        run: |
+          PAYLOAD="{\"ref\":\"${GIT_REF}\"}"
+          SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')
+          curl -sf --connect-timeout 10 \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-Gitea-Signature: ${SIG}" \
+            -d "$PAYLOAD" \
+            "http://10.10.10.65:9000/hooks/pulse-deploy"