← 12. CI/CD Status and Roadmap14. Deploy Notifications →返回首页
源文件:13-webhook-deploy-deploy.v4.sohophp.app.md

# 13. Webhook Deploy: deploy.v4.sohophp.app

This document records the signed webhook deploy endpoint for the Node CI/CD toolkit.

# Site identity

  • domain: deploy.v4.sohophp.app
  • public endpoint: https://deploy.v4.sohophp.app
  • local bind: 127.0.0.1:22103
  • service: node-cicd-webhook.service

# What it does

The receiver accepts signed webhook POST requests and can:

  • verify HMAC-SHA256 signatures
  • restrict event names
  • restrict refs such as refs/heads/main
  • trigger cicd-deploy-node-site
  • optionally run cleanup-node-releases --keep N --prune

# Live files

  • service unit: /etc/systemd/system/node-cicd-webhook.service
  • executable: /usr/local/bin/node-cicd-webhookd
  • config: /etc/node-cicd-webhook.json
  • nginx vhost: /etc/nginx/conf.d/deploy.v4.sohophp.app.conf

# Verified route on this VPS

Current configured route:

  • path: /github/node.v4.sohophp.app
  • domain: node.v4.sohophp.app
  • allowed event: push
  • allowed ref: refs/heads/main
  • post-deploy cleanup keep count: 5

# Signature headers supported

  • GitHub: X-Hub-Signature-256: sha256=<digest>
  • Gitea: X-Gitea-Signature: <digest>
  • generic: X-Webhook-Signature-256

# Example config shape

See exported example:

  • examples/node-cicd-webhook.json.example

# Important implementation note

The systemd service must not keep NoNewPrivileges=true, because the receiver needs to call tightly-scoped sudo -n commands already granted to the cicd user.

# Healthcheck


curl -fsS http://127.0.0.1:22103/healthz


curl -kfsS https://deploy.v4.sohophp.app/healthz

# Test pattern


payload='{"ref":"refs/heads/main"}'


sig=$(python3 - <<'PY'


import hmac, hashlib


secret = b'replace-with-your-own-secret'


payload = b'{"ref":"refs/heads/main"}'


print('sha256=' + hmac.new(secret, payload, hashlib.sha256).hexdigest())


PY


)


curl -kfsS https://deploy.v4.sohophp.app/github/app.example.com \


  -H 'Content-Type: application/json' \


  -H 'X-GitHub-Event: push' \


  -H "X-Hub-Signature-256: $sig" \


  --data "$payload"

# Verified behavior

This was actually tested on this VPS by posting a signed webhook request that:

  1. matched the push event filter
  2. matched refs/heads/main
  3. deployed node.v4.sohophp.app to release 20260602162046
  4. automatically pruned 2 old releases
  5. returned JSON step results for deploy and cleanup
目录