from flask import Flask, request import subprocess import hashlib import hmac import os app = Flask(__name__) secret_token = os.environ.get('SECRET_TOKEN') @app.route('/webhook', methods=['POST']) def webhook(): if request.headers.get('X-GitHub-Event') == 'push': signature = request.headers.get('X-Hub-Signature-256') if verify_signature(request.data, signature, secret_token): return 'Invalid HMAC signature.', 400 subprocess.run(['git', 'pull']) subprocess.run(['systemctl', 'restart', 'restart_this_app.service']) return 'Success!', 200 else: return 'Invalid webhook event.', 400 # https://docs.github.com/en/enterprise-server@3.6/webhooks-and-events/webhooks/securing-your-webhooks#python-example def verify_signature(payload_body, signature_header, secret_token): if not signature_header: return False hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256) expected_signature = "sha256=" + hash_object.hexdigest() if not hmac.compare_digest(expected_signature, signature_header): return False return True if __name__ == '__main__': app.run(host='0.0.0.0', port=5001)