git-webhook/app.py
2023-05-26 17:42:03 +02:00

45 lines
1.2 KiB
Python

from flask import Flask, request
import subprocess
import hashlib
import hmac
import os
app = Flask(__name__)
secret_token = os.environ.get('SECRET_TOKEN')
@app.route('/webhook', methods=['POST'])
def webhook():
if request.headers.get('X-GitHub-Event') == 'push':
signature = request.headers.get('X-Hub-Signature-256')
if verify_signature(request.data, signature, secret_token):
return 'Invalid HMAC signature.', 400
subprocess.run(['git', 'pull'])
subprocess.run(['systemctl', 'restart', 'restart_this_app.service'])
return 'Success!', 200
else:
return 'Invalid webhook event.', 400
# https://docs.github.com/en/enterprise-server@3.6/webhooks-and-events/webhooks/securing-your-webhooks#python-example
def verify_signature(payload_body, signature_header, secret_token):
if not signature_header:
return False
hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256)
expected_signature = "sha256=" + hash_object.hexdigest()
if not hmac.compare_digest(expected_signature, signature_header):
return False
return True
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5001)