ci: gate deploy behind lint — Actions triggers webhook after lint passes
Adds a deploy job that runs only when both php-lint and js-lint succeed. Calls the CT132 webhook directly with HMAC-SHA256 signature from the WEBHOOK_SECRET repo secret. Disabled the direct push webhooks that previously deployed on every push regardless of lint status. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -35,3 +35,28 @@ jobs:
|
||||
- name: Run ESLint
|
||||
run: npx eslint assets/js/
|
||||
|
||||
deploy:
|
||||
name: Deploy
|
||||
runs-on: ubuntu-latest
|
||||
needs: [php-lint, js-lint]
|
||||
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development')
|
||||
steps:
|
||||
- name: Trigger webhook
|
||||
env:
|
||||
WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
|
||||
GIT_REF: ${{ github.ref }}
|
||||
run: |
|
||||
if [ "$GIT_REF" = "refs/heads/main" ]; then
|
||||
HOOK_ID="tinker-deploy"
|
||||
else
|
||||
HOOK_ID="tinker-beta-deploy"
|
||||
fi
|
||||
PAYLOAD="{\"ref\":\"${GIT_REF}\"}"
|
||||
SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')
|
||||
curl -sf --connect-timeout 10 \
|
||||
-X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "X-Gitea-Signature: ${SIG}" \
|
||||
-d "$PAYLOAD" \
|
||||
"http://10.10.10.45:9000/hooks/${HOOK_ID}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user