From 31510cfe0f7d233ac1bc4eac8d6a36635c143df1 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Mon, 13 Apr 2026 21:42:34 -0400
Subject: [PATCH] =?UTF-8?q?ci:=20gate=20deploy=20behind=20lint=20=E2=80=94?=
 =?UTF-8?q?=20Actions=20triggers=20webhook=20after=20lint=20passes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a deploy job that runs only when both php-lint and js-lint succeed.
Calls the CT132 webhook directly with HMAC-SHA256 signature from the
WEBHOOK_SECRET repo secret. Disabled the direct push webhooks that
previously deployed on every push regardless of lint status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/lint.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 20dd9d6..461b392 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -35,3 +35,28 @@ jobs:
       - name: Run ESLint
         run: npx eslint assets/js/
 
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    needs: [php-lint, js-lint]
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development')
+    steps:
+      - name: Trigger webhook
+        env:
+          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
+          GIT_REF: ${{ github.ref }}
+        run: |
+          if [ "$GIT_REF" = "refs/heads/main" ]; then
+            HOOK_ID="tinker-deploy"
+          else
+            HOOK_ID="tinker-beta-deploy"
+          fi
+          PAYLOAD="{\"ref\":\"${GIT_REF}\"}"
+          SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')
+          curl -sf --connect-timeout 10 \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-Gitea-Signature: ${SIG}" \
+            -d "$PAYLOAD" \
+            "http://10.10.10.45:9000/hooks/${HOOK_ID}"
+