ci: gate deploy behind lint — Actions triggers webhook after lint passes
Adds a deploy job that runs only when both php-lint and js-lint succeed. Calls the CT132 webhook directly with HMAC-SHA256 signature from the WEBHOOK_SECRET repo secret. Disabled the direct push webhooks that previously deployed on every push regardless of lint status. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -35,3 +35,28 @@ jobs:
|
|||||||
- name: Run ESLint
|
- name: Run ESLint
|
||||||
run: npx eslint assets/js/
|
run: npx eslint assets/js/
|
||||||
|
|
||||||
|
deploy:
|
||||||
|
name: Deploy
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: [php-lint, js-lint]
|
||||||
|
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development')
|
||||||
|
steps:
|
||||||
|
- name: Trigger webhook
|
||||||
|
env:
|
||||||
|
WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
|
||||||
|
GIT_REF: ${{ github.ref }}
|
||||||
|
run: |
|
||||||
|
if [ "$GIT_REF" = "refs/heads/main" ]; then
|
||||||
|
HOOK_ID="tinker-deploy"
|
||||||
|
else
|
||||||
|
HOOK_ID="tinker-beta-deploy"
|
||||||
|
fi
|
||||||
|
PAYLOAD="{\"ref\":\"${GIT_REF}\"}"
|
||||||
|
SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')
|
||||||
|
curl -sf --connect-timeout 10 \
|
||||||
|
-X POST \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-H "X-Gitea-Signature: ${SIG}" \
|
||||||
|
-d "$PAYLOAD" \
|
||||||
|
"http://10.10.10.45:9000/hooks/${HOOK_ID}"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user