infra: deploy script + webhook server + S3 uploader (saguaro test)

infra/webhook-server.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import http.server, subprocess, hashlib, hmac, json, os, sys
+
+SECRET = os.environ.get('WEBHOOK_SECRET', 'ptp-deploy-2026')
+PORT = 9000
+
+class Handler(http.server.BaseHTTPRequestHandler):
+    def do_POST(self):
+        if self.path != '/deploy':
+            self.send_response(404); self.end_headers(); return
+        
+        length = int(self.headers.get('Content-Length', 0))
+        body = self.rfile.read(length)
+        
+        # Verify signature (Gitea sends X-Gitea-Signature)
+        sig = self.headers.get('X-Gitea-Signature', '')
+        expected = hmac.new(SECRET.encode(), body, hashlib.sha256).hexdigest()
+        
+        if not hmac.compare_digest(sig, expected):
+            self.send_response(403); self.end_headers()
+            self.wfile.write(b'Bad signature'); return
+        
+        try:
+            data = json.loads(body)
+            ref = data.get('ref', '')
+            if ref not in ('refs/heads/mirror', 'refs/heads/main'):
+                self.send_response(200); self.end_headers()
+                self.wfile.write(b'Skipped (not mirror/main)'); return
+        except: pass
+        
+        subprocess.Popen(['/usr/local/bin/deploy-ptp.sh'])
+        self.send_response(200); self.end_headers()
+        self.wfile.write(b'Deploy triggered')
+
+    def log_message(self, fmt, *args):
+        pass  # silent
+
+if __name__ == '__main__':
+    httpd = http.server.HTTPServer(('127.0.0.1', PORT), Handler)
+    print(f'Webhook server on port {PORT}')
+    httpd.serve_forever()