homelab-docker-config/updater/webhook.php

<?php

error_log(date('Y-m-d H:i:s'). "\t received request from " . $_SERVER['REMOTE_ADDR']);


$secret_key = getenv('GITEA_WEBHOOK_SECRET');
if (empty($secret_key)) {
    error_log('FAILED - secret key missing from environment');
    exit();
}

// check for POST request
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    error_log('FAILED - not POST - ' . $_SERVER['REQUEST_METHOD']);
    exit();
}

// get content type
$content_type = isset($_SERVER['CONTENT_TYPE']) ? strtolower(trim($_SERVER['CONTENT_TYPE'])) : '';

if ($content_type != 'application/json') {
    error_log('FAILED - not application/json - ' . $content_type);
    exit();
}

// get payload
$payload = trim(file_get_contents("php://input"));

if (empty($payload)) {
    error_log('FAILED - no payload');
    exit();
}

// get header signature
$header_signature = isset($_SERVER['HTTP_X_GITEA_SIGNATURE']) ? $_SERVER['HTTP_X_GITEA_SIGNATURE'] : '';

if (empty($header_signature)) {
    error_log('FAILED - header signature missing');
    exit();
}

// calculate payload signature
$payload_signature = hash_hmac('sha256', $payload, $secret_key);

// check payload signature against header signature
if ($header_signature !== $payload_signature) {
    error_log('FAILED - payload signature');
    exit();
}

// convert json to array
$decoded = json_decode($payload, true);

// check for json decode errors
if (json_last_error() !== JSON_ERROR_NONE) {
    error_log('FAILED - json decode - ' . json_last_error());
    exit();
}

// success, log something without error_log
error_log('SUCCESS - ' . $decoded['ref']);

chdir('/config');
exec('git pull');
exec('docker compose up -d --quiet-pull > /proc/1/fd/1 2>/proc/1/fd/2 &');

// send return code and text message
http_response_code(200);
echo 'lekker pik';