whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-03-31 12:04:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(cd): properly set webhook secret and add verification step

Browse Source
This commit is contained in:
whekin
2026-03-16 03:58:16 +04:00
parent 74348c3ef5
commit 21303de0ba
2 changed files with 50 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/cd.yml vendored
View File

@@ -227,10 +227,37 @@ jobs:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }} TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
run: bun run ops:telegram:commands set run: bun run ops:telegram:commands set
- name: Load webhook secret
id: webhook-secret
run: |
set +e
secret_name="telegram-webhook-secret"
if [[ "${SERVICE_SUFFIX}" == "dev" ]]; then
secret_name="telegram-webhook-secret-test"
fi
secret="$(gcloud secrets versions access latest \
--secret "${secret_name}" \
--project "${{ vars.GCP_PROJECT_ID }}" 2>/dev/null)"
status=$?
set -e
if [[ $status -eq 0 && -n "$secret" ]]; then
echo "::add-mask::$secret"
{
echo "available=true"
echo "secret<<EOF"
echo "$secret"
echo "EOF"
} >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
fi
- name: Set Telegram Webhook - name: Set Telegram Webhook
if: ${{ steps.telegram-token.outputs.available == 'true' }} if: ${{ steps.telegram-token.outputs.available == 'true' && steps.webhook-secret.outputs.available == 'true' }}
env: env:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }} TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
TELEGRAM_WEBHOOK_SECRET: ${{ steps.webhook-secret.outputs.secret }}
run: | run: |
SERVICE_URL=$(gcloud run services describe "household-${SERVICE_SUFFIX}-bot-api" \ SERVICE_URL=$(gcloud run services describe "household-${SERVICE_SUFFIX}-bot-api" \
--region "${GCP_REGION}" \ --region "${GCP_REGION}" \
@@ -238,4 +265,13 @@ jobs:
--format 'value(status.url)') --format 'value(status.url)')
export TELEGRAM_WEBHOOK_URL="$SERVICE_URL/webhook/telegram" export TELEGRAM_WEBHOOK_URL="$SERVICE_URL/webhook/telegram"
echo "Setting webhook to: $TELEGRAM_WEBHOOK_URL"
bun run ops:telegram:webhook set bun run ops:telegram:webhook set
- name: Verify Telegram Webhook
if: ${{ steps.telegram-token.outputs.available == 'true' }}
env:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
run: |
echo "Checking webhook status..."
bun run ops:telegram:webhook info | jq -r '.url, .last_error_message' || true

19
scripts/ops/telegram-webhook.ts
View File

@@ -51,15 +51,21 @@ async function run(): Promise<void> {
return return
} }
case 'set': { case 'set': {
const params = new URLSearchParams({ const webhookUrl = requireEnv('TELEGRAM_WEBHOOK_URL')
url: requireEnv('TELEGRAM_WEBHOOK_URL')
})
const secretToken = process.env.TELEGRAM_WEBHOOK_SECRET?.trim() const secretToken = process.env.TELEGRAM_WEBHOOK_SECRET?.trim()
if (secretToken) {
params.set('secret_token', secretToken) if (!secretToken) {
console.error(
'WARNING: TELEGRAM_WEBHOOK_SECRET not set - webhook will be set without secret token'
)
throw new Error('TELEGRAM_WEBHOOK_SECRET is required for secure webhook setup')
} }
const params = new URLSearchParams({
url: webhookUrl,
secret_token: secretToken
})
const maxConnections = process.env.TELEGRAM_MAX_CONNECTIONS?.trim() const maxConnections = process.env.TELEGRAM_MAX_CONNECTIONS?.trim()
if (maxConnections) { if (maxConnections) {
params.set('max_connections', maxConnections) params.set('max_connections', maxConnections)
@@ -70,6 +76,7 @@ async function run(): Promise<void> {
params.set('drop_pending_updates', dropPendingUpdates) params.set('drop_pending_updates', dropPendingUpdates)
} }
console.log(`Setting webhook to: ${webhookUrl}`)
const result = await telegramRequest(botToken, 'setWebhook', params) const result = await telegramRequest(botToken, 'setWebhook', params)
console.log(JSON.stringify({ ok: true, result }, null, 2)) console.log(JSON.stringify({ ok: true, result }, null, 2))
return return