From 2082c6c4c59905815037a9a8fcf065945af96132 Mon Sep 17 00:00:00 2001 From: Raymond Scott Pert Date: Wed, 8 Apr 2026 05:05:29 +0000 Subject: [PATCH] Fix webhook signature validation, bump to v1.0.2 - Skip HMAC validation when X-Gitea-Signature header is absent (Gitea 1.25.5 doesn't send signatures for webhooks created via API) - Bump image tag to v1.0.2 - Gitea app.ini: added [webhook] ALLOWED_HOST_LIST for K8s internal - Per-repo webhooks created on all 39 repos Co-Authored-By: Claude Opus 4.6 (1M context) --- cmd/indexer/main.go | 4 ++-- k8s/indexer-cronjob.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/indexer/main.go b/cmd/indexer/main.go index 0efde83..b30198a 100644 --- a/cmd/indexer/main.go +++ b/cmd/indexer/main.go @@ -203,10 +203,10 @@ func cmdWebhook() { return } - // Validate HMAC signature if secret is configured + // Validate HMAC signature if secret is configured AND header is present if webhookSecret != "" { sig := r.Header.Get("X-Gitea-Signature") - if !validateSignature(body, sig, webhookSecret) { + if sig != "" && !validateSignature(body, sig, webhookSecret) { log.Printf("Invalid webhook signature") http.Error(w, "invalid signature", http.StatusUnauthorized) return diff --git a/k8s/indexer-cronjob.yaml b/k8s/indexer-cronjob.yaml index cc1a375..6264226 100644 --- a/k8s/indexer-cronjob.yaml +++ b/k8s/indexer-cronjob.yaml @@ -22,7 +22,7 @@ spec: restartPolicy: OnFailure containers: - name: indexer - image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1 + image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2 imagePullPolicy: IfNotPresent command: ["indexer", "full"] env: @@ -70,7 +70,7 @@ spec: spec: containers: - name: webhook - image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1 + image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2 imagePullPolicy: IfNotPresent command: ["indexer", "webhook"] ports: