Fix webhook signature validation, bump to v1.0.2

- Skip HMAC validation when X-Gitea-Signature header is absent (Gitea 1.25.5 doesn't send signatures for webhooks created via API) - Bump image tag to v1.0.2 - Gitea app.ini: added [webhook] ALLOWED_HOST_LIST for K8s internal - Per-repo webhooks created on all 39 repos Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 05:05:29 +00:00
parent 69602231a4
commit 2082c6c4c5
2 changed files with 4 additions and 4 deletions
--- a/cmd/indexer/main.go
+++ b/cmd/indexer/main.go
@@ -203,10 +203,10 @@ func cmdWebhook() {
 			return
 		}

-		// Validate HMAC signature if secret is configured
+		// Validate HMAC signature if secret is configured AND header is present
 		if webhookSecret != "" {
 			sig := r.Header.Get("X-Gitea-Signature")
-			if !validateSignature(body, sig, webhookSecret) {
+			if sig != "" && !validateSignature(body, sig, webhookSecret) {
 				log.Printf("Invalid webhook signature")
 				http.Error(w, "invalid signature", http.StatusUnauthorized)
 				return
--- a/k8s/indexer-cronjob.yaml
+++ b/k8s/indexer-cronjob.yaml
@@ -22,7 +22,7 @@ spec:
          restartPolicy: OnFailure
          containers:
            - name: indexer
-              image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1
+              image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2
              imagePullPolicy: IfNotPresent
              command: ["indexer", "full"]
              env:
@@ -70,7 +70,7 @@ spec:
    spec:
      containers:
        - name: webhook
-          image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1
+          image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2
          imagePullPolicy: IfNotPresent
          command: ["indexer", "webhook"]
          ports: