Adding repo whitelist.

src/webhook.rs

@@ -1,3 +1,5 @@
+use std::borrow::Borrow;
+use std::collections::HashSet;
 use std::future::Future;
 
 use axum::async_trait;
@@ -40,9 +42,14 @@ pub(crate) async fn hook(
     debug!("REQ: {:?}", payload);
     match payload {
         HookRequest::Push(webhook_payload) => {
-            handle_push(state.gitea, state.kubernetes_client, webhook_payload)
-                .await
-                .expect("Failed to handle push event.");
+            handle_push(
+                state.gitea,
+                state.kubernetes_client,
+                state.allowed_repos.borrow(),
+                webhook_payload,
+            )
+            .await
+            .expect("Failed to handle push event.");
             (
                 StatusCode::OK,
                 Json(HookResponse {
@@ -167,11 +174,19 @@ fn hex_to_bytes(s: &str) -> Option<Vec<u8>> {
 pub(crate) async fn handle_push(
     gitea: GiteaClient,
     kubernetes_client: kube::Client,
+    allowed_repos: &HashSet<String>,
     webhook_payload: HookPush,
 ) -> Result<(), Box<dyn std::error::Error>> {
     let repo_owner = webhook_payload.get_repo_owner()?;
     let repo_name = webhook_payload.get_repo_name()?;
     let pull_base_sha = webhook_payload.get_pull_base_sha()?;
+    if !allowed_repos.contains(&webhook_payload.repository.full_name) {
+        tracing::info!(
+            "{} is not an allowed repository.",
+            webhook_payload.repository.full_name
+        );
+        return Ok(());
+    }
     let repo_tree = gitea.get_tree(repo_owner, repo_name, pull_base_sha).await?;
     let remote_config = discover_webhook_bridge_config(&gitea, &repo_tree).await?;
     let pipelines = discover_matching_push_triggers(