Switch to local-path-provisioner.

This must be a new field that gitea added in an update.

.dockerignore

@@ -0,0 +1,4 @@
+**/.git
+target/
+docker/
+.dockerignore

.gitignore

@@ -1 +1,2 @@
 /target
+TODO.org

.webhook_bridge/pipeline-build-semver.yaml

@@ -0,0 +1,256 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: build
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: image-name
+        description: The name for the built image
+        type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
+      - name: path-to-image-context
+        description: The path to the build context
+        type: string
+      - name: path-to-dockerfile
+        description: The path to the Dockerfile
+        type: string
+    tasks:
+      - name: detect-tag
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: tag
+              description: The tag to use for the docker container.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                git fetch --tags
+                current_tag=$(git tag --points-at HEAD --list 'v*.*.*')
+                if [ -z "$current_tag" ]; then
+                  echo "No tag at current commit"
+                  exit 1
+                else
+                  echo -n "${current_tag}" | tee $(results.tag.path)
+                fi
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: build-image
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
+            - name: revision
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
+            - name: pathInRepo
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
+        params:
+          - name: OUTPUT
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.detect-tag.results.tag)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+          - name: CONTEXT
+            value: $(params.path-to-image-context)
+          - name: DOCKERFILE
+            value: $(params.path-to-dockerfile)
+          - name: EXTRA_ARGS
+            value:
+              - "--opt"
+              - "target=$(params.target-name)"
+              - --import-cache
+              - "type=registry,ref=$(params.image-name):buildcache"
+              - --export-cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
+              - --opt
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
+          - name: BUILDKITD_TOML
+            value: |
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: dockerconfig
+            workspace: docker-credentials
+        runAfter:
+          - fetch-repository
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+    workspaces:
+      - name: git-source
+      - name: docker-credentials
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: rust-source
+    - name: docker-credentials
+      secret:
+        secretName: harbor-plain
+  params:
+    - name: image-name
+      value: "harbor.fizz.buzz/private/webhook-bridge"
+    - name: target-name
+      value: ""
+    - name: path-to-image-context
+      value: .
+    - name: path-to-dockerfile
+      value: docker/webhook_bridge/

.webhook_bridge/pipeline-format.yaml

@@ -0,0 +1,334 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: rust-format
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: image-name
+        description: The name for the built image
+        type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
+      - name: path-to-image-context
+        description: The path to the build context
+        type: string
+      - name: path-to-dockerfile
+        description: The path to the Dockerfile
+        type: string
+    tasks:
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: build-image
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
+            - name: revision
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
+            - name: pathInRepo
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
+        params:
+          - name: OUTPUT
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.fetch-repository.results.commit)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+          - name: CONTEXT
+            value: $(params.path-to-image-context)
+          - name: DOCKERFILE
+            value: $(params.path-to-dockerfile)
+          - name: EXTRA_ARGS
+            value:
+              - "--opt"
+              - "target=$(params.target-name)"
+              - --import-cache
+              - "type=registry,ref=$(params.image-name):buildcache"
+              - --export-cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
+              - --opt
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
+          - name: BUILDKITD_TOML
+            value: |
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: dockerconfig
+            workspace: docker-credentials
+        runAfter:
+          - fetch-repository
+      - name: run-cargo-fmt
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command: ["cargo", "fmt"]
+              args: []
+              env:
+                - name: CARGO_TARGET_DIR
+                  value: /target
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        runAfter:
+          - build-image
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+      - name: commit-changes
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-cli/0.4/git-cli.yaml
+        params:
+          - name: GIT_USER_NAME
+            value: fluxcdbot
+          - name: GIT_USER_EMAIL
+            value: "fluxcdbot@users.noreply.github.com"
+          - name: GIT_SCRIPT
+            value: |
+              pwd
+              git config --global --add safe.directory /workspace/source
+              git_status=$(git status --porcelain)
+              if [ -n "$git_status" ]; then
+                git commit -a -m "CI: autofix rust code."
+                git push origin HEAD:$(params.PULL_BASE_REF)
+              else
+                echo "No changes to commit."
+              fi
+        workspaces:
+          - name: source
+            workspace: git-source
+        runAfter:
+          - run-cargo-fmt
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: cargo-cache-autoclean
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command: [cargo, cache, --autoclean]
+              args: []
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+    workspaces:
+      - name: git-source
+      - name: docker-credentials
+      - name: cargo-cache
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: rust-source
+    - name: cargo-cache
+      persistentVolumeClaim:
+        claimName: webhook-bridge-cargo-cache-fmt
+    - name: docker-credentials
+      secret:
+        secretName: harbor-plain
+  params:
+    - name: image-name
+      value: "harbor.fizz.buzz/private/webhook-bridge-development-format"
+    - name: target-name
+      value: ""
+    - name: path-to-image-context
+      value: docker/webhook_bridge_development/
+    - name: path-to-dockerfile
+      value: docker/webhook_bridge_development/

.webhook_bridge/pipeline-rust-clippy.yaml

@@ -0,0 +1,313 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: rust-clippy
+spec:
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m40s"
+    finally: "0h30m0s"
+  pipelineSpec:
+    params:
+      - name: image-name
+        description: The name for the built image
+        type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
+      - name: path-to-image-context
+        description: The path to the build context
+        type: string
+      - name: path-to-dockerfile
+        description: The path to the Dockerfile
+        type: string
+    tasks:
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: build-image
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
+            - name: revision
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
+            - name: pathInRepo
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
+        params:
+          - name: OUTPUT
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.fetch-repository.results.commit)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+          - name: CONTEXT
+            value: $(params.path-to-image-context)
+          - name: DOCKERFILE
+            value: $(params.path-to-dockerfile)
+          - name: EXTRA_ARGS
+            value:
+              - "--opt"
+              - "target=$(params.target-name)"
+              - --import-cache
+              - "type=registry,ref=$(params.image-name):buildcache"
+              - --export-cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
+              - --opt
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
+          - name: BUILDKITD_TOML
+            value: |
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: dockerconfig
+            workspace: docker-credentials
+        runAfter:
+          - fetch-repository
+      - name: run-cargo-clippy
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command:
+                [
+                  "cargo",
+                  "clippy",
+                  "--no-deps",
+                  "--all-targets",
+                  "--all-features",
+                  "--",
+                  "-D",
+                  "warnings",
+                ]
+              args: []
+              env:
+                - name: CARGO_TARGET_DIR
+                  value: /target
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        runAfter:
+          - build-image
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: cargo-cache-autoclean
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command: [cargo, cache, --autoclean]
+              args: []
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+    workspaces:
+      - name: git-source
+      - name: docker-credentials
+      - name: cargo-cache
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: rust-source
+    - name: cargo-cache
+      persistentVolumeClaim:
+        claimName: webhook-bridge-cargo-cache-clippy
+    - name: docker-credentials
+      secret:
+        secretName: harbor-plain
+  params:
+    - name: image-name
+      value: "harbor.fizz.buzz/private/webhook-bridge-development-clippy"
+    - name: target-name
+      value: ""
+    - name: path-to-image-context
+      value: docker/webhook_bridge_development/
+    - name: path-to-dockerfile
+      value: docker/webhook_bridge_development/

.webhook_bridge/pipeline-rust-test.yaml

@@ -0,0 +1,303 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: rust-test
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m40s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: image-name
+        description: The name for the built image
+        type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
+      - name: path-to-image-context
+        description: The path to the build context
+        type: string
+      - name: path-to-dockerfile
+        description: The path to the Dockerfile
+        type: string
+    tasks:
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: build-image
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
+            - name: revision
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
+            - name: pathInRepo
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
+        params:
+          - name: OUTPUT
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.fetch-repository.results.commit)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+          - name: CONTEXT
+            value: $(params.path-to-image-context)
+          - name: DOCKERFILE
+            value: $(params.path-to-dockerfile)
+          - name: EXTRA_ARGS
+            value:
+              - "--opt"
+              - "target=$(params.target-name)"
+              - --import-cache
+              - "type=registry,ref=$(params.image-name):buildcache"
+              - --export-cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
+              - --opt
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
+          - name: BUILDKITD_TOML
+            value: |
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: dockerconfig
+            workspace: docker-credentials
+        runAfter:
+          - fetch-repository
+      - name: run-cargo-test
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command: [cargo, test, --no-fail-fast]
+              args: []
+              env:
+                - name: CARGO_TARGET_DIR
+                  value: /target
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        runAfter:
+          - build-image
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: cargo-cache-autoclean
+        taskSpec:
+          metadata: {}
+          params:
+            - name: docker-image
+              type: string
+              description: Docker image to run.
+              default: alpine:3.20
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          workspaces:
+            - name: source
+              mountPath: /source
+            - name: cargo-cache
+              mountPath: /usr/local/cargo/registry
+              optional: true
+          steps:
+            - name: run
+              image: $(params.docker-image)
+              workingDir: "$(workspaces.source.path)"
+              command: [cargo, cache, --autoclean]
+              args: []
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: cargo-cache
+            workspace: cargo-cache
+        params:
+          - name: docker-image
+            value: "$(tasks.build-image.results.IMAGE_URL[1])"
+    workspaces:
+      - name: git-source
+      - name: docker-credentials
+      - name: cargo-cache
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: rust-source
+    - name: cargo-cache
+      persistentVolumeClaim:
+        claimName: webhook-bridge-cargo-cache-test
+    - name: docker-credentials
+      secret:
+        secretName: harbor-plain
+  params:
+    - name: image-name
+      value: "harbor.fizz.buzz/private/webhook-bridge-development-test"
+    - name: target-name
+      value: ""
+    - name: path-to-image-context
+      value: docker/webhook_bridge_development/
+    - name: path-to-dockerfile
+      value: docker/webhook_bridge_development/

.webhook_bridge/pipeline-semver.yaml

@@ -0,0 +1,187 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: semver
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: REPO_OWNER
+        description: Owner of the repo on gitea
+        type: string
+      - name: REPO_NAME
+        description: Name of the repo on gitea
+        type: string
+      - name: PULL_BASE_SHA
+        description: The commit sha
+        type: string
+      - name: JOB_NAME
+        description: The name of the job to report to gitea
+        type: string
+    tasks:
+      - name: calculate-tag
+        runAfter:
+          - fetch-repository
+        workspaces:
+          - name: source
+            workspace: git-source
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          results:
+            - name: tag
+              description: The tag to use for the docker container
+          steps:
+            - image: alpine/git:2.43.0
+              name: calculate-tag
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                git config --global --add safe.directory $(workspaces.source.path)
+                git fetch --tags
+                current_tag=$(git tag --points-at HEAD --list 'v*.*.*')
+                if [ -z "$current_tag" ]; then
+                  prev_tag=$(git tag --list 'v*.*.*' | sort -V -r | head -n 1)
+                  if [ -n "$prev_tag" ]; then
+                    last_bit=$(echo "$prev_tag" | cut -d '.' -f 3)
+                    incremented=$((last_bit + 1))
+                    prefix=$(echo "$prev_tag" | grep -oE 'v[0-9]*\.[0-9]*\.')
+                    final_tag="${prefix}${incremented}"
+                  else
+                    final_tag="v0.0.1"
+                  fi
+                  echo -n "${final_tag}" | tee $(results.tag.path)
+                  git tag "${final_tag}"
+                  git push origin "${final_tag}"
+                else
+                  echo -n "${current_tag}" | tee $(results.tag.path)
+                fi
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+    workspaces:
+      - name: git-source
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: source
+  params: []

.webhook_bridge/webhook_bridge.toml

@@ -0,0 +1,31 @@
+version = "0.0.1"
+
+[[push]]
+  name = "rust-test"
+  source = "pipeline-rust-test.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/webhook_bridge.git"
+  skip_branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]
+
+[[push]]
+  name = "clippy"
+  source = "pipeline-rust-clippy.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/webhook_bridge.git"
+  skip_branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]
+
+[[push]]
+  name = "format"
+  source = "pipeline-format.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/webhook_bridge.git"
+  skip_branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]
+
+[[push]]
+  name = "semver"
+  source = "pipeline-semver.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/webhook_bridge.git"
+  branches = [ "^main$", "^master$" ]
+
+[[push]]
+  name = "build"
+  source = "pipeline-build-semver.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/webhook_bridge.git"
+  branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]

Cargo.toml

@@ -17,14 +17,42 @@ include = [
   "Cargo.lock"
 ]
 
+[lib]
+name = "webhookbridge"
+path = "src/lib.rs"
+
+[[bin]]
+  name = "webhook_bridge"
+  path = "src/main.rs"
+
+[[bin]]
+  # This bin exists for development purposes only. The real target of this crate is the webhook_bridge server binary.
+  name = "local_trigger"
+  path = "src/bin_local_trigger.rs"
+  required-features = ["local_trigger"]
+
+[features]
+default = ["local_trigger"]
+local_trigger = []
+
 [dependencies]
-# default form, http1, json, matched-path, original-uri, query, tokio, tower-log, tracing
+axum = { version = "0.7.5", default-features = false, features = ["tokio", "http1", "json"] }
-axum = { version = "0.7.5", default-features = false, features = ["tokio", "http1", "http2", "json"] }
+base64 = "0.22.1"
+hmac = "0.12.1"
+http-body-util = "0.1.2"
+k8s-openapi = { version = "0.22.0", default-features = false, features = ["v1_30"] }
+kube = { version = "0.92.1", default-features = false, features = ["client", "config", "rustls-tls", "derive", "runtime"] }
+regex = "1.10.6"
+reqwest = "0.12.5"
+schemars = "0.8.21"
 serde = { version = "1.0.204", features = ["derive"] }
-tokio = { version = "1.38.0", default-features = false, features = ["macros", "process", "rt", "rt-multi-thread"] }
+serde_json = { version = "1.0.120", default-features = false, features = ["std"] }
-# default attributes, std, tracing-attributes
+serde_yaml = "0.9.34"
+sha2 = "0.10.8"
+tokio = { version = "1.38.0", default-features = false, features = ["macros", "process", "rt-multi-thread", "signal"] }
+toml = { version = "0.8.19", default-features = false, features = ["display", "parse"] }
+tower-http = { version = "0.5.2", default-features = false, features = ["trace", "timeout"] }
 tracing = { version = "0.1.40", default-features = false, features = ["attributes", "std", "tracing-attributes", "async-await"] }
-# default alloc, ansi, fmt, nu-ansi-term, registry, sharded-slab, smallvec, std, thread_local, tracing-log
 tracing-subscriber = { version = "0.3.18", default-features = false, features = ["alloc", "ansi", "fmt", "nu-ansi-term", "registry", "sharded-slab", "smallvec", "std", "thread_local", "tracing-log", "env-filter"] }
 
 [profile.release-lto]

Makefile

@@ -0,0 +1,36 @@
+SHELL := bash
+.ONESHELL:
+.SHELLFLAGS := -eu -o pipefail -c
+.DELETE_ON_ERROR:
+MAKEFLAGS += --warn-undefined-variables
+MAKEFLAGS += --no-builtin-rules
+OS:=$(shell uname -s)
+
+ifeq ($(origin .RECIPEPREFIX), undefined)
+  $(error This Make does not support .RECIPEPREFIX. Please use GNU Make 4.0 or later)
+endif
+.RECIPEPREFIX = >
+
+.PHONY: help
+help:
+> @grep -h "##" $(MAKEFILE_LIST) | grep -v grep | sed -E 's/^([^:]*): *## */\1:  /'
+
+.PHONY: test
+test: ## Run the rust tests
+> $(MAKE) -C docker/webhook_bridge_development build
+> docker run --rm -i -t --mount type=tmpfs,destination=/tmp -v "$(shell readlink -f .):/source" --workdir=/source --env CARGO_TARGET_DIR=/target -v "webhook-bridge-cargo-registry:/usr/local/cargo/registry" -v "webhook-bridge-rust-target:/target" webhook-bridge-development cargo test
+
+.PHONY: clippy
+clippy: ## Run static analysis of the code.
+> $(MAKE) -C docker/webhook_bridge_development build
+> docker run --rm -i -t --mount type=tmpfs,destination=/tmp -v "$(shell readlink -f .):/source" --workdir=/source --env CARGO_TARGET_DIR=/target -v "webhook-bridge-cargo-registry:/usr/local/cargo/registry" -v "webhook-bridge-rust-target:/target" webhook-bridge-development cargo clippy --no-deps --all-targets --all-features -- -D warnings
+
+.PHONY: format
+format: ## Auto-format source files.
+> $(MAKE) -C docker/webhook_bridge_development build
+> docker run --rm -i -t --mount type=tmpfs,destination=/tmp -v "$(shell readlink -f .):/source" --workdir=/source --env CARGO_TARGET_DIR=/target -v "webhook-bridge-cargo-registry:/usr/local/cargo/registry" -v "webhook-bridge-rust-target:/target" webhook-bridge-development cargo fmt
+
+.PHONY: clean
+clean:
+> $(MAKE) -C docker/webhook_bridge_development clean
+> rm -rf target

docker/webhook_bridge/Dockerfile

@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1
+ARG ALPINE_VERSION="3.20"
+
+FROM rustlang/rust:nightly-alpine$ALPINE_VERSION AS builder
+
+RUN apk add --no-cache musl-dev pkgconfig libressl-dev
+
+RUN mkdir /source
+WORKDIR /source
+COPY --link . .
+# TODO: Add static build, which currently errors due to proc_macro. RUSTFLAGS="-C target-feature=+crt-static"
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked CARGO_TARGET_DIR=/target cargo build --profile release-lto --bin webhook_bridge
+
+FROM alpine:$ALPINE_VERSION AS runner
+
+COPY --link --from=builder /target/release-lto/webhook_bridge /usr/bin/
+
+ENTRYPOINT ["/usr/bin/webhook_bridge"]

docker/webhook_bridge/Makefile

@@ -0,0 +1,31 @@
+SHELL := bash
+.ONESHELL:
+.SHELLFLAGS := -eu -o pipefail -c
+.DELETE_ON_ERROR:
+MAKEFLAGS += --warn-undefined-variables
+MAKEFLAGS += --no-builtin-rules
+
+ifeq ($(origin .RECIPEPREFIX), undefined)
+  $(error This Make does not support .RECIPEPREFIX. Please use GNU Make 4.0 or later)
+endif
+.RECIPEPREFIX = >
+
+IMAGE_NAME:=webhook-bridge
+TARGET :=
+
+.PHONY: help
+help:
+> @grep -h "##" $(MAKEFILE_LIST) | grep -v grep | sed -E 's/^([^:]*): *## */\1:  /'
+
+.PHONY: build
+build: ## Build the docker image.
+> docker build --tag $(IMAGE_NAME) --target=$(TARGET) --file Dockerfile ../../
+
+.PHONY: shell
+shell: ## Launch an interactive shell inside the docker image with the source repository mounted at /source.
+shell: build
+> docker run --rm -i -t --entrypoint /bin/sh --mount type=tmpfs,destination=/tmp $(IMAGE_NAME)
+
+.PHONY: clean
+clean:
+> docker rmi $(IMAGE_NAME)

docker/webhook_bridge_development/Dockerfile

@@ -0,0 +1,9 @@
+# syntax=docker/dockerfile:1
+ARG ALPINE_VERSION="3.20"
+
+FROM rustlang/rust:nightly-alpine$ALPINE_VERSION AS builder
+
+RUN apk add --no-cache musl-dev pkgconfig libressl3.8-libssl libressl-dev
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked cargo install --locked --no-default-features --features ci-autoclean cargo-cache
+RUN rustup component add rustfmt
+RUN rustup component add clippy

docker/webhook_bridge_development/Makefile

@@ -0,0 +1,35 @@
+SHELL := bash
+.ONESHELL:
+.SHELLFLAGS := -eu -o pipefail -c
+.DELETE_ON_ERROR:
+MAKEFLAGS += --warn-undefined-variables
+MAKEFLAGS += --no-builtin-rules
+
+ifeq ($(origin .RECIPEPREFIX), undefined)
+  $(error This Make does not support .RECIPEPREFIX. Please use GNU Make 4.0 or later)
+endif
+.RECIPEPREFIX = >
+
+IMAGE_NAME:=webhook-bridge-development
+TARGET :=
+
+.PHONY: help
+help:
+> @grep -h "##" $(MAKEFILE_LIST) | grep -v grep | sed -E 's/^([^:]*): *## */\1:  /'
+
+.PHONY: build
+build: ## Build the docker image.
+> docker build --tag $(IMAGE_NAME) --target=$(TARGET) --file Dockerfile .
+> docker volume create webhook-bridge-cargo-registry
+> docker volume create webhook-bridge-rust-target
+
+.PHONY: shell
+shell: ## Launch an interactive shell inside the docker image with the source repository mounted at /source.
+shell: build
+> docker run --rm -i -t --entrypoint /bin/sh --mount type=tmpfs,destination=/tmp -v "$$(readlink -f ../../):/source" --workdir=/source --env CARGO_TARGET_DIR=/target -v "webhook-bridge-cargo-registry:/usr/local/cargo/registry" $(IMAGE_NAME)
+
+.PHONY: clean
+clean:
+> docker rmi $(IMAGE_NAME)
+> docker volume rm webhook-bridge-cargo-registry
+> docker volume rm webhook-bridge-rust-target

list_files_curl.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+curl -vv -H "Authorization: token $(cat /bridge/git/mrmanager/k8s/webhook-bridge/secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN)" 'https://code.fizz.buzz/api/v1/repos/talexander/organic/git/trees/841a348dd02f31ee8828f069b2a948712369069d?recursive=true&per_page=10&page=60'

local_payload.json

@@ -0,0 +1,177 @@
+{
+  "ref": "refs/tags/v0.0.19",
+  "before": "0000000000000000000000000000000000000000",
+  "after": "3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+  "compare_url": "https://code.fizz.buzz/talexander/webhook_bridge/compare/0000000000000000000000000000000000000000...3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+  "commits": [],
+  "total_commits": 0,
+  "head_commit": {
+    "id": "3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+    "message": "Add support for new fields in payload.\n",
+    "url": "https://code.fizz.buzz/talexander/webhook_bridge/commit/3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+    "author": {
+      "name": "Tom Alexander",
+      "email": "tom@fizz.buzz",
+      "username": ""
+    },
+    "committer": {
+      "name": "Tom Alexander",
+      "email": "tom@fizz.buzz",
+      "username": ""
+    },
+    "verification": null,
+    "timestamp": "2025-02-08T20:58:55-05:00",
+    "added": [
+      "rust-toolchain.toml"
+    ],
+    "removed": [],
+    "modified": [
+      "run.bash",
+      "src/hook_push.rs"
+    ]
+  },
+  "repository": {
+    "id": 21,
+    "owner": {
+      "id": 1,
+      "login": "talexander",
+      "login_name": "",
+      "source_id": 0,
+      "full_name": "",
+      "email": "gitea@local.domain",
+      "avatar_url": "https://code.fizz.buzz/avatars/9d402a89b5a0786f83c1b8c5486fc7ff3d083a54fe20e55c0a776a1932c30289",
+      "html_url": "https://code.fizz.buzz/talexander",
+      "language": "",
+      "is_admin": false,
+      "last_login": "0001-01-01T00:00:00Z",
+      "created": "2023-07-05T22:03:28Z",
+      "restricted": false,
+      "active": false,
+      "prohibit_login": false,
+      "location": "",
+      "website": "",
+      "description": "",
+      "visibility": "public",
+      "followers_count": 0,
+      "following_count": 0,
+      "starred_repos_count": 0,
+      "username": "talexander"
+    },
+    "name": "webhook_bridge",
+    "full_name": "talexander/webhook_bridge",
+    "description": "A server that receives webhooks from gitea and fires off Tekton jobs in response.",
+    "empty": false,
+    "private": false,
+    "fork": false,
+    "template": false,
+    "parent": null,
+    "mirror": false,
+    "size": 168,
+    "language": "",
+    "languages_url": "https://code.fizz.buzz/api/v1/repos/talexander/webhook_bridge/languages",
+    "html_url": "https://code.fizz.buzz/talexander/webhook_bridge",
+    "url": "https://code.fizz.buzz/api/v1/repos/talexander/webhook_bridge",
+    "link": "",
+    "ssh_url": "git@code.fizz.buzz:talexander/webhook_bridge.git",
+    "clone_url": "https://code.fizz.buzz/talexander/webhook_bridge.git",
+    "original_url": "",
+    "website": "",
+    "stars_count": 0,
+    "forks_count": 0,
+    "watchers_count": 1,
+    "open_issues_count": 0,
+    "open_pr_counter": 0,
+    "release_counter": 0,
+    "default_branch": "main",
+    "archived": false,
+    "created_at": "2024-07-14T18:48:52Z",
+    "updated_at": "2025-02-09T02:12:22Z",
+    "archived_at": "1970-01-01T00:00:00Z",
+    "permissions": {
+      "admin": true,
+      "push": true,
+      "pull": true
+    },
+    "has_issues": true,
+    "internal_tracker": {
+      "enable_time_tracker": true,
+      "allow_only_contributors_to_track_time": true,
+      "enable_issue_dependencies": true
+    },
+    "has_wiki": false,
+    "has_pull_requests": true,
+    "has_projects": false,
+    "projects_mode": "all",
+    "has_releases": true,
+    "has_packages": false,
+    "has_actions": false,
+    "ignore_whitespace_conflicts": false,
+    "allow_merge_commits": true,
+    "allow_rebase": true,
+    "allow_rebase_explicit": true,
+    "allow_squash_merge": true,
+    "allow_fast_forward_only_merge": false,
+    "allow_rebase_update": true,
+    "default_delete_branch_after_merge": false,
+    "default_merge_style": "merge",
+    "default_allow_maintainer_edit": false,
+    "avatar_url": "",
+    "internal": false,
+    "mirror_interval": "",
+    "object_format_name": "sha1",
+    "mirror_updated": "0001-01-01T00:00:00Z",
+    "repo_transfer": null,
+    "topics": null,
+    "licenses": null
+  },
+  "pusher": {
+    "id": 2,
+    "login": "build-bot",
+    "login_name": "",
+    "source_id": 0,
+    "full_name": "",
+    "email": "build-bot@noreply.code.fizz.buzz",
+    "avatar_url": "https://code.fizz.buzz/avatars/e39ef2faba8a3dfb3dcb4d8275a532d4",
+    "html_url": "https://code.fizz.buzz/build-bot",
+    "language": "",
+    "is_admin": false,
+    "last_login": "0001-01-01T00:00:00Z",
+    "created": "2023-07-09T04:25:44Z",
+    "restricted": false,
+    "active": false,
+    "prohibit_login": false,
+    "location": "",
+    "website": "",
+    "description": "",
+    "visibility": "private",
+    "followers_count": 0,
+    "following_count": 0,
+    "starred_repos_count": 0,
+    "username": "build-bot"
+  },
+  "sender": {
+    "id": 2,
+    "login": "build-bot",
+    "login_name": "",
+    "source_id": 0,
+    "full_name": "",
+    "email": "build-bot@noreply.code.fizz.buzz",
+    "avatar_url": "https://code.fizz.buzz/avatars/e39ef2faba8a3dfb3dcb4d8275a532d4",
+    "html_url": "https://code.fizz.buzz/build-bot",
+    "language": "",
+    "is_admin": false,
+    "last_login": "0001-01-01T00:00:00Z",
+    "created": "2023-07-09T04:25:44Z",
+    "restricted": false,
+    "active": false,
+    "prohibit_login": false,
+    "location": "",
+    "website": "",
+    "description": "",
+    "visibility": "private",
+    "followers_count": 0,
+    "following_count": 0,
+    "starred_repos_count": 0,
+    "username": "build-bot"
+  }
+}

run.bash

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+RUST_LOG=webhook_bridge=DEBUG WEBHOOK_BRIDGE_API_ROOT="https://code.fizz.buzz/api" WEBHOOK_BRIDGE_HMAC_SECRET=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN) WEBHOOK_BRIDGE_OAUTH_TOKEN=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN) WEBHOOK_BRIDGE_REPO_WHITELIST="talexander/webhook_bridge,talexander/homepage,talexander/natter,talexander/poudboot,talexander/ta_waybar_pipewire,talexander/organic" cargo run

rust-toolchain.toml

@@ -0,0 +1,4 @@
+[toolchain]
+channel = "nightly"
+profile = "default"
+components = ["clippy", "rustfmt"]

rustfmt.toml

@@ -0,0 +1,14 @@
+imports_granularity = "Item"
+group_imports = "StdExternalCrate"
+
+# In rustfmt 2.0 I will want to adjust these settings.
+#
+# max_width controls the max length of a line before rustfmt gives up
+# but that also scales the length of a bunch of other lines
+# automaticaly due to width_heuristics. I want to find a way to enable
+# rustfmt to work on longer lines when necessary without making my
+# regular code too wide.
+#
+# max_width = 100
+# error_on_line_overflow = true
+# width_heuristics = "Off"

src/app_state.rs

@@ -0,0 +1,7 @@
+use std::collections::HashSet;
+use std::sync::Arc;
+
+#[derive(Clone)]
+pub(crate) struct AppState {
+    pub(crate) allowed_repos: Arc<HashSet<String>>,
+}

src/bin_local_trigger.rs

@@ -0,0 +1,12 @@
+#![forbid(unsafe_code)]
+use webhookbridge::init_tracing;
+use webhookbridge::local_trigger;
+
+const EXAMPLE_WEBHOOK_PAYLOAD: &str = include_str!("../local_payload.json");
+
+#[tokio::main]
+#[allow(clippy::needless_return)]
+async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    init_tracing().await?;
+    local_trigger(EXAMPLE_WEBHOOK_PAYLOAD).await
+}

src/crd_pipeline_run.rs

@@ -0,0 +1,53 @@
+use kube::CustomResource;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use serde_json::Value;
+
+/// A single execution of a Pipeline.
+#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[kube(
+    group = "tekton.dev",
+    version = "v1",
+    kind = "PipelineRun",
+    singular = "pipelinerun",
+    plural = "pipelineruns"
+)]
+#[kube(namespaced)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct PipelineRunSpec {
+    /// Contents of the Pipeline
+    #[serde(
+        rename = "pipelineSpec",
+        default,
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub(crate) pipeline_spec: Option<Value>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) timeouts: Option<Value>,
+
+    #[serde(
+        rename = "taskRunTemplate",
+        default,
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub(crate) task_run_template: Option<Value>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) workspaces: Option<Value>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) params: Option<Vec<PipelineParam>>,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct PipelineParam {
+    /// Contents of the Pipeline
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) name: Option<String>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) value: Option<Value>,
+}

src/discovery.rs

@@ -0,0 +1,105 @@
+use std::path::Path;
+use std::path::PathBuf;
+
+use regex::Regex;
+use tracing::debug;
+
+use crate::crd_pipeline_run::PipelineRun;
+use crate::gitea_client::GiteaClient;
+use crate::gitea_client::Tree;
+use crate::remote_config::RemoteConfig;
+
+pub(crate) async fn discover_webhook_bridge_config(
+    gitea: &GiteaClient,
+    repo_tree: &Tree,
+) -> Result<RemoteConfig, Box<dyn std::error::Error>> {
+    let remote_config_reference = repo_tree
+        .files
+        .iter()
+        .find(|file_reference| file_reference.path == ".webhook_bridge/webhook_bridge.toml")
+        .ok_or("File not found in remote repo: .webhook_bridge/webhook_bridge.toml.")?;
+
+    let remote_config_contents =
+        String::from_utf8(gitea.read_file(remote_config_reference).await?)?;
+    let parsed_remote_config = RemoteConfig::from_str(remote_config_contents)?;
+
+    Ok(parsed_remote_config)
+}
+
+pub(crate) async fn discover_matching_push_triggers<RE: AsRef<str>>(
+    gitea: &GiteaClient,
+    repo_tree: &Tree,
+    git_ref: RE,
+    remote_config: &RemoteConfig,
+) -> Result<Vec<PipelineTemplate>, Box<dyn std::error::Error>> {
+    let mut ret = Vec::new();
+    let ref_to_branch_regex = Regex::new(r"refs/(heads|tags)/(?P<branch>.+)")?;
+    let captures = ref_to_branch_regex
+        .captures(git_ref.as_ref())
+        .ok_or("Could not find branch name.")?;
+    let branch = &captures["branch"];
+    debug!("Detected branch from push as {:?}", branch);
+
+    let push_triggers = remote_config.get_push_triggers_for_branch(branch)?;
+    for trigger in push_triggers {
+        let path_to_source = normalize_path(Path::new(".webhook_bridge").join(&trigger.source));
+        let pipeline_template = repo_tree
+            .files
+            .iter()
+            .find(|file_reference| Path::new(&file_reference.path) == path_to_source.as_path())
+            .ok_or("Trigger source not found in remote repo.")?;
+        let pipeline_contents = String::from_utf8(gitea.read_file(pipeline_template).await?)?;
+        debug!("Pipeline template contents: {}", pipeline_contents);
+
+        let pipeline: PipelineRun = serde_yaml::from_str(&pipeline_contents)?;
+        ret.push(PipelineTemplate::new(
+            trigger.name.clone(),
+            trigger.clone_uri.clone(),
+            pipeline,
+        ));
+    }
+
+    Ok(ret)
+}
+
+fn normalize_path<P: AsRef<Path>>(path: P) -> PathBuf {
+    let mut ret = PathBuf::new();
+
+    for component in path.as_ref().components() {
+        match component {
+            // Prefix does not happen on unix-based systems.
+            std::path::Component::Prefix(_)
+            | std::path::Component::RootDir
+            | std::path::Component::Normal(_) => {
+                ret.push(component);
+            }
+            std::path::Component::CurDir => {}
+            std::path::Component::ParentDir => {
+                ret.pop();
+            }
+        }
+    }
+
+    ret
+}
+
+#[derive(Debug)]
+pub(crate) struct PipelineTemplate {
+    pub(crate) name: String,
+    pub(crate) clone_uri: Option<String>,
+    pub(crate) pipeline: PipelineRun,
+}
+
+impl PipelineTemplate {
+    pub(crate) fn new<N: Into<String>, C: Into<Option<String>>>(
+        name: N,
+        clone_uri: C,
+        pipeline: PipelineRun,
+    ) -> PipelineTemplate {
+        PipelineTemplate {
+            name: name.into(),
+            clone_uri: clone_uri.into(),
+            pipeline,
+        }
+    }
+}

src/gitea_client/error.rs

@@ -0,0 +1,27 @@
+use std::error::Error;
+
+#[derive(Debug, Clone)]
+pub(crate) enum GiteaClientError {
+    #[allow(dead_code)]
+    Static(#[allow(dead_code)] &'static str),
+    #[allow(dead_code)]
+    String(#[allow(dead_code)] String),
+    NoTotalCountHeaderInResponse,
+}
+
+impl std::fmt::Display for GiteaClientError {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match self {
+            GiteaClientError::Static(s) => write!(f, "GiteaClientError: {}", s),
+            GiteaClientError::String(s) => write!(f, "GiteaClientError: {}", s),
+            GiteaClientError::NoTotalCountHeaderInResponse => {
+                write!(
+                    f,
+                    "GiteaClientError: No x-total-count header returned in gitea response.",
+                )
+            }
+        }
+    }
+}
+
+impl Error for GiteaClientError {}

src/gitea_client/mod.rs

@@ -0,0 +1,178 @@
+use base64::engine::general_purpose;
+use base64::Engine as _;
+use serde::Deserialize;
+use tracing::debug;
+
+use self::error::GiteaClientError;
+pub(crate) mod error;
+
+#[derive(Debug, Clone)]
+pub(crate) struct GiteaClient {
+    api_root: String,
+    token: String,
+    http_client: reqwest::Client,
+}
+
+impl GiteaClient {
+    pub(crate) fn new<R: Into<String>, T: Into<String>>(api_root: R, token: T) -> GiteaClient {
+        GiteaClient {
+            api_root: api_root.into(),
+            token: token.into(),
+            http_client: reqwest::Client::new(),
+        }
+    }
+
+    pub(crate) async fn get_tree<O: AsRef<str>, R: AsRef<str>, C: AsRef<str>>(
+        &self,
+        owner: O,
+        repo: R,
+        commit: C,
+    ) -> Result<Tree, Box<dyn std::error::Error>> {
+        let mut files = Vec::new();
+        let mut page: Option<u64> = None;
+        let mut num_responses: u64 = 0;
+        loop {
+            let url = format!(
+                "{api_root}/v1/repos/{owner}/{repo}/git/trees/{commit}?recursive=true&per_page=100{page}",
+                api_root = self.api_root,
+                owner = owner.as_ref(),
+                repo = repo.as_ref(),
+                commit = commit.as_ref(),
+                page = page.map(|num| format!("&page={}", num)).unwrap_or_default()
+            );
+            let response = self
+                .http_client
+                .get(url)
+                .header("Authorization", format!("token {}", self.token))
+                .send()
+                .await?;
+            let response = response.error_for_status()?;
+            let total_count = response
+                .headers()
+                .get("x-total-count")
+                .ok_or(GiteaClientError::NoTotalCountHeaderInResponse)?
+                .to_str()?
+                .parse::<u64>()?;
+            if num_responses == 0 {
+                files.reserve(total_count as usize);
+            }
+
+            let body = response.text().await?;
+            let parsed_body: ResponseGetTree = serde_json::from_str(body.as_str())?;
+            num_responses += parsed_body.tree.len() as u64;
+
+            files.extend(parsed_body.tree.into_iter().map(|response_object| {
+                TreeFileReference::new(response_object.path, response_object.url)
+            }));
+
+            if num_responses >= total_count {
+                break;
+            }
+
+            page = Some(parsed_body.page + 1);
+        }
+        Ok(Tree::new(files))
+    }
+
+    pub(crate) async fn read_file(
+        &self,
+        file_reference: &TreeFileReference,
+    ) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
+        let response = self
+            .http_client
+            .get(&file_reference.url)
+            .header("Authorization", format!("token {}", self.token))
+            .send()
+            .await?;
+        let response = response.error_for_status()?;
+        let body = response.text().await?;
+        debug!("read_file response: {}", body);
+        let parsed_body: ResponseReadFile = serde_json::from_str(body.as_str())?;
+        assert!(
+            parsed_body.encoding == "base64",
+            "We currently only support base64 file encoding from gitea."
+        );
+        Ok(general_purpose::STANDARD.decode(parsed_body.content)?)
+    }
+}
+
+/// A single API response for GetTree containing only one page.
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct ResponseGetTree {
+    #[allow(dead_code)]
+    sha: String,
+
+    #[allow(dead_code)]
+    url: String,
+    tree: Vec<ResponseObjectReference>,
+
+    #[allow(dead_code)]
+    truncated: bool,
+    page: u64,
+
+    #[allow(dead_code)]
+    total_count: u64,
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct ResponseObjectReference {
+    path: String,
+
+    #[allow(dead_code)]
+    mode: String,
+
+    #[allow(dead_code)]
+    #[serde(rename = "type")]
+    object_type: String,
+
+    #[allow(dead_code)]
+    size: u64,
+
+    #[allow(dead_code)]
+    sha: String,
+    url: String,
+}
+
+#[derive(Debug)]
+pub(crate) struct Tree {
+    pub(crate) files: Vec<TreeFileReference>,
+}
+
+#[derive(Debug)]
+pub(crate) struct TreeFileReference {
+    pub(crate) path: String,
+    pub(crate) url: String,
+}
+
+impl Tree {
+    pub(crate) fn new(files: Vec<TreeFileReference>) -> Tree {
+        Tree { files }
+    }
+}
+
+impl TreeFileReference {
+    pub(crate) fn new<P: Into<String>, U: Into<String>>(path: P, url: U) -> TreeFileReference {
+        TreeFileReference {
+            path: path.into(),
+            url: url.into(),
+        }
+    }
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct ResponseReadFile {
+    content: String,
+    encoding: String,
+
+    #[allow(dead_code)]
+    url: String,
+
+    #[allow(dead_code)]
+    sha: String,
+
+    #[allow(dead_code)]
+    size: u64,
+}

src/hook_push.rs

@@ -0,0 +1,200 @@
+use std::borrow::Cow;
+
+use regex::Regex;
+use serde::Deserialize;
+use serde_json::Value;
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookPush {
+    #[serde(rename = "ref")]
+    pub(crate) ref_field: String,
+    before: String,
+    after: String,
+    compare_url: String,
+    commits: Vec<HookCommit>,
+    total_commits: u64,
+    head_commit: HookCommit,
+    pub(crate) repository: HookRepository,
+    pusher: HookUser,
+    sender: HookUser,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookUser {
+    id: u64,
+    login: String,
+    login_name: String,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    source_id: Option<u64>,
+    full_name: String,
+    email: String,
+    avatar_url: String,
+    html_url: String,
+    language: String,
+    is_admin: bool,
+    last_login: String, // TODO: parse to datetime
+    created: String,    // TODO: parse to datetime
+    restricted: bool,
+    active: bool,
+    prohibit_login: bool,
+    location: String,
+    website: String,
+    description: String,
+    visibility: String,
+    followers_count: u64,
+    following_count: u64,
+    starred_repos_count: u64,
+    username: String,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookRepository {
+    id: u64,
+    owner: HookUser,
+    name: String,
+    pub(crate) full_name: String,
+    description: String,
+    empty: bool,
+    private: bool,
+    fork: bool,
+    template: bool,
+    parent: Value, // Was null in test hook
+    mirror: bool,
+    size: u64,
+    language: String,
+    languages_url: String,
+    html_url: String,
+    url: String,
+    link: String,
+    ssh_url: String,
+    clone_url: String,
+    original_url: String,
+    website: String,
+    stars_count: u64,
+    forks_count: u64,
+    watchers_count: u64,
+    open_issues_count: u64,
+    open_pr_counter: u64,
+    release_counter: u64,
+    default_branch: String,
+    archived: bool,
+    created_at: String,  // TODO: parse to datetime
+    updated_at: String,  // TODO: parse to datetime
+    archived_at: String, // TODO: parse to datetime
+    permissions: HookRepositoryPermissions,
+    has_issues: bool,
+    internal_tracker: HookRepositoryInternalTracker,
+    has_wiki: bool,
+    has_pull_requests: bool,
+    has_projects: bool,
+    projects_mode: String,
+    has_releases: bool,
+    has_packages: bool,
+    has_actions: bool,
+    ignore_whitespace_conflicts: bool,
+    allow_merge_commits: bool,
+    allow_rebase: bool,
+    allow_rebase_explicit: bool,
+    allow_squash_merge: bool,
+    allow_fast_forward_only_merge: bool,
+    allow_rebase_update: bool,
+    default_delete_branch_after_merge: bool,
+    default_merge_style: String,
+    default_allow_maintainer_edit: bool,
+    avatar_url: String,
+    internal: bool,
+    mirror_interval: String,
+    object_format_name: String,
+    mirror_updated: String, // TODO: parse to datetime
+    repo_transfer: Value,   // Was null in test hook
+    topics: Value,          // Was null in test hook
+    licenses: Value,        // Was null in test hook
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookRepositoryPermissions {
+    admin: bool,
+    push: bool,
+    pull: bool,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookRepositoryInternalTracker {
+    enable_time_tracker: bool,
+    allow_only_contributors_to_track_time: bool,
+    enable_issue_dependencies: bool,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookCommit {
+    id: String,
+    message: String,
+    url: String,
+    author: HookGitUser,
+    committer: HookGitUser,
+    verification: Value, // Was null in test hook
+    timestamp: String,   // TODO: parse to datetime
+    added: Vec<String>,
+    removed: Vec<String>,
+    modified: Vec<String>,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct HookGitUser {
+    name: String,
+    email: String,
+    username: String,
+}
+
+pub(crate) trait PipelineParamters {
+    fn get_pull_base_ref(&self) -> Result<Cow<str>, Box<dyn std::error::Error>>;
+
+    fn get_pull_base_sha(&self) -> Result<Cow<str>, Box<dyn std::error::Error>>;
+
+    fn get_repo_url(&self) -> Result<Cow<str>, Box<dyn std::error::Error>>;
+
+    fn get_repo_name(&self) -> Result<Cow<str>, Box<dyn std::error::Error>>;
+
+    fn get_repo_owner(&self) -> Result<Cow<str>, Box<dyn std::error::Error>>;
+}
+
+impl PipelineParamters for HookPush {
+    fn get_pull_base_ref(&self) -> Result<Cow<str>, Box<dyn std::error::Error>> {
+        let ref_to_branch_regex = Regex::new(r"refs/(heads|tags)/(?P<branch>.+)")?;
+        let captures = ref_to_branch_regex
+            .captures(self.ref_field.as_str())
+            .ok_or("Could not find branch name.")?;
+        let branch = &captures["branch"];
+        Ok(Cow::Owned(branch.to_owned()))
+    }
+
+    fn get_pull_base_sha(&self) -> Result<Cow<str>, Box<dyn std::error::Error>> {
+        Ok(Cow::Borrowed(self.after.as_str()))
+    }
+
+    fn get_repo_url(&self) -> Result<Cow<str>, Box<dyn std::error::Error>> {
+        Ok(Cow::Borrowed(self.repository.clone_url.as_str()))
+    }
+
+    fn get_repo_name(&self) -> Result<Cow<str>, Box<dyn std::error::Error>> {
+        Ok(Cow::Borrowed(self.repository.name.as_str()))
+    }
+
+    fn get_repo_owner(&self) -> Result<Cow<str>, Box<dyn std::error::Error>> {
+        Ok(Cow::Borrowed(self.repository.owner.username.as_str()))
+    }
+}

src/kubernetes.rs

@@ -0,0 +1,125 @@
+use std::borrow::Borrow;
+use std::borrow::Cow;
+
+use kube::api::PostParams;
+use kube::Api;
+use kube::CustomResourceExt;
+use regex::Regex;
+use tracing::debug;
+use tracing::info;
+
+use crate::crd_pipeline_run::PipelineParam;
+use crate::crd_pipeline_run::PipelineRun;
+use crate::discovery::PipelineTemplate;
+use crate::hook_push::HookPush;
+use crate::hook_push::PipelineParamters;
+
+pub(crate) async fn run_pipelines(
+    hook: HookPush,
+    pipelines: Vec<PipelineTemplate>,
+    kubernetes_client: kube::Client,
+) -> Result<(), Box<dyn std::error::Error>> {
+    // let jobs: Api<PipelineRun> = Api::namespaced(kubernetes_client, "webhook-bridge");
+    let jobs: Api<PipelineRun> = Api::default_namespaced(kubernetes_client);
+    tracing::debug!("Using crd: {}", serde_json::to_string(&PipelineRun::crd())?);
+
+    for mut pipeline in pipelines {
+        info!(
+            "Kicking off {} for repo {}/{}",
+            pipeline.name,
+            hook.get_repo_owner()?,
+            hook.get_repo_name()?,
+        );
+        if pipeline.pipeline.spec.params.is_none() {
+            pipeline.pipeline.spec.params = Some(Vec::new());
+        }
+        if let Some(param_list) = pipeline.pipeline.spec.params.as_mut() {
+            param_list.push(PipelineParam {
+                name: Some("JOB_NAME".to_owned()),
+                value: Some(serde_json::Value::String(pipeline.name.clone())),
+            });
+            param_list.push(PipelineParam {
+                name: Some("REPO_OWNER".to_owned()),
+                value: Some(serde_json::Value::String(
+                    hook.get_repo_owner()?.into_owned(),
+                )),
+            });
+            param_list.push(PipelineParam {
+                name: Some("REPO_NAME".to_owned()),
+                value: Some(serde_json::Value::String(
+                    hook.get_repo_name()?.into_owned(),
+                )),
+            });
+            let hook_repo_url = hook.get_repo_url()?;
+            param_list.push(PipelineParam {
+                name: Some("REPO_URL".to_owned()),
+                value: pipeline
+                    .clone_uri
+                    .map(serde_json::Value::String)
+                    .or_else(|| Some(serde_json::Value::String(hook_repo_url.into_owned()))),
+            });
+            param_list.push(PipelineParam {
+                name: Some("PULL_BASE_SHA".to_owned()),
+                value: Some(serde_json::Value::String(
+                    hook.get_pull_base_sha()?.into_owned(),
+                )),
+            });
+            param_list.push(PipelineParam {
+                name: Some("PULL_BASE_REF".to_owned()),
+                value: Some(serde_json::Value::String(
+                    hook.get_pull_base_ref()?.into_owned(),
+                )),
+            });
+        }
+        if pipeline.pipeline.metadata.generate_name.is_none()
+            && pipeline.pipeline.metadata.name.is_some()
+        {
+            std::mem::swap(
+                &mut pipeline.pipeline.metadata.generate_name,
+                &mut pipeline.pipeline.metadata.name,
+            );
+            if let Some(ref mut name) = pipeline.pipeline.metadata.generate_name {
+                let mut new_name_stub = sanitize_kubernetes_identifier(format!(
+                    "{}-{}-{}",
+                    name,
+                    hook.get_repo_name()?,
+                    hook.get_repo_owner()?
+                ))?
+                .into_owned();
+                new_name_stub.truncate(63);
+                (*name) = new_name_stub + "-";
+                debug!("Using generate name: {}", name);
+            }
+        }
+        let pp = PostParams::default();
+        let created_run = jobs.create(&pp, &pipeline.pipeline).await?;
+        info!("Created PipelineRun {:?}", created_run.metadata.name);
+    }
+
+    Ok(())
+}
+
+fn sanitize_kubernetes_identifier<'a, O: Into<Cow<'a, str>>>(
+    original: O,
+) -> Result<Cow<'a, str>, Box<dyn std::error::Error>> {
+    let validate_identifier_regex =
+        Regex::new(r"[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*")?;
+    let original = original.into();
+    if !validate_identifier_regex.is_match(original.borrow()) {
+        return Ok(original);
+    }
+
+    let mut clean_identifier = String::with_capacity(original.len());
+    for c in original.chars() {
+        match c {
+            'a'..='z' | 'A'..='Z' | '0'..='9' | '.' | '-' => {
+                clean_identifier.push(c);
+            }
+            _ => {
+                clean_identifier.push('-');
+            }
+        };
+    }
+
+    Ok(Cow::Owned(clean_identifier))
+}

src/lib.rs

@@ -0,0 +1,136 @@
+#![forbid(unsafe_code)]
+use std::collections::HashSet;
+use std::sync::Arc;
+use std::time::Duration;
+
+use axum::http::StatusCode;
+use axum::middleware;
+use axum::routing::get;
+use axum::routing::post;
+use axum::Json;
+use axum::Router;
+use kube::Client;
+use serde::Serialize;
+use tokio::signal;
+use tower_http::timeout::TimeoutLayer;
+use tower_http::trace::TraceLayer;
+use tracing_subscriber::layer::SubscriberExt;
+use tracing_subscriber::util::SubscriberInitExt;
+
+use self::app_state::AppState;
+use self::gitea_client::GiteaClient;
+use self::hook_push::HookPush;
+use self::webhook::handle_push;
+use self::webhook::hook;
+use self::webhook::verify_signature;
+
+mod app_state;
+mod crd_pipeline_run;
+mod discovery;
+mod gitea_client;
+mod hook_push;
+mod kubernetes;
+mod remote_config;
+mod webhook;
+
+pub async fn init_tracing() -> Result<(), Box<dyn std::error::Error>> {
+    tracing_subscriber::registry()
+        .with(
+            tracing_subscriber::EnvFilter::try_from_default_env().unwrap_or_else(|_| {
+                "webhookbridge=info,webhook_bridge=info,local_trigger=info,tower_http=debug,axum::rejection=trace"
+                    .into()
+            }),
+        )
+        .with(tracing_subscriber::fmt::layer())
+        .init();
+    Ok(())
+}
+
+pub async fn launch_server() -> Result<(), Box<dyn std::error::Error>> {
+    let allowed_repos = std::env::var("WEBHOOK_BRIDGE_REPO_WHITELIST")?;
+    let allowed_repos: HashSet<_> = allowed_repos
+        .split(",")
+        .filter(|s| !s.is_empty())
+        .map(str::to_owned)
+        .collect();
+    tracing::debug!("Using repo whitelist: {:?}", allowed_repos);
+
+    let app = Router::new()
+        .route("/hook", post(hook))
+        .layer(middleware::from_fn(verify_signature))
+        .route("/health", get(health))
+        .layer((
+            TraceLayer::new_for_http(),
+            // Add a timeout layer so graceful shutdown can't wait forever.
+            TimeoutLayer::new(Duration::from_secs(600)),
+        ))
+        .with_state(AppState {
+            allowed_repos: Arc::new(allowed_repos),
+        });
+
+    let listener = tokio::net::TcpListener::bind("0.0.0.0:9988").await?;
+    tracing::info!("listening on {}", listener.local_addr().unwrap());
+    axum::serve(listener, app)
+        .with_graceful_shutdown(shutdown_signal())
+        .await?;
+    Ok(())
+}
+
+pub async fn local_trigger(payload: &str) -> Result<(), Box<dyn std::error::Error>> {
+    let kubernetes_client: Client = Client::try_default()
+        .await
+        .expect("Set KUBECONFIG to a valid kubernetes config.");
+
+    let gitea_api_root = std::env::var("WEBHOOK_BRIDGE_API_ROOT")?;
+    let gitea_api_token = std::env::var("WEBHOOK_BRIDGE_OAUTH_TOKEN")?;
+    let gitea = GiteaClient::new(gitea_api_root, gitea_api_token);
+
+    let allowed_repos = std::env::var("WEBHOOK_BRIDGE_REPO_WHITELIST")
+        .ok()
+        .unwrap_or_default();
+    let allowed_repos: HashSet<_> = allowed_repos
+        .split(",")
+        .filter(|s| !s.is_empty())
+        .map(str::to_owned)
+        .collect();
+    tracing::debug!("Using repo whitelist: {:?}", allowed_repos);
+
+    let webhook_payload: HookPush = serde_json::from_str(payload)?;
+
+    handle_push(gitea, kubernetes_client, &allowed_repos, webhook_payload).await?;
+
+    Ok(())
+}
+
+async fn shutdown_signal() {
+    let ctrl_c = async {
+        signal::ctrl_c()
+            .await
+            .expect("failed to install Ctrl+C handler");
+    };
+
+    #[cfg(unix)]
+    let terminate = async {
+        signal::unix::signal(signal::unix::SignalKind::terminate())
+            .expect("failed to install signal handler")
+            .recv()
+            .await;
+    };
+
+    #[cfg(not(unix))]
+    let terminate = std::future::pending::<()>();
+
+    tokio::select! {
+        _ = ctrl_c => {},
+        _ = terminate => {},
+    }
+}
+
+async fn health() -> (StatusCode, Json<HealthResponse>) {
+    (StatusCode::OK, Json(HealthResponse { ok: true }))
+}
+
+#[derive(Serialize)]
+struct HealthResponse {
+    ok: bool,
+}

src/main.rs

@@ -1,34 +1,10 @@
-use axum::http::StatusCode;
+#![forbid(unsafe_code)]
-use axum::routing::get;
+use webhookbridge::init_tracing;
-use axum::Json;
+use webhookbridge::launch_server;
-use axum::Router;
-use serde::Serialize;
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
 
 #[tokio::main]
+#[allow(clippy::needless_return)]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    tracing_subscriber::registry()
+    init_tracing().await?;
-        .with(
+    launch_server().await
-            tracing_subscriber::EnvFilter::try_from_default_env().unwrap_or_else(|_| {
-                "webhook_bridge=info,tower_http=debug,axum::rejection=trace".into()
-            }),
-        )
-        .with(tracing_subscriber::fmt::layer())
-        .init();
-    let app = Router::new().route("/health", get(health));
-
-    let listener = tokio::net::TcpListener::bind("0.0.0.0:8080").await?;
-    tracing::info!("listening on {}", listener.local_addr().unwrap());
-    axum::serve(listener, app).await?;
-    Ok(())
-}
-
-async fn health() -> (StatusCode, Json<HealthResponse>) {
-    (StatusCode::OK, Json(HealthResponse { ok: true }))
-}
-
-#[derive(Serialize)]
-struct HealthResponse {
-    ok: bool,
 }

src/remote_config.rs

@@ -0,0 +1,73 @@
+use regex::Regex;
+use serde::Deserialize;
+use serde::Serialize;
+
+/// The webhook_bridge.toml file that lives inside repos that have their CI triggered by webhook_bridge.
+#[derive(Serialize, Deserialize, Clone, Debug)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct RemoteConfig {
+    pub(crate) version: String,
+
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub(crate) push: Vec<TriggerPush>,
+}
+
+/// A config for a job that is triggered by a push to a git repo.
+#[derive(Serialize, Deserialize, Clone, Debug)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct TriggerPush {
+    pub(crate) name: String,
+    pub(crate) source: String,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) clone_uri: Option<String>,
+
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub(crate) branches: Vec<String>,
+
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub(crate) skip_branches: Vec<String>,
+}
+
+impl RemoteConfig {
+    pub(crate) fn from_str<S: AsRef<str>>(
+        contents: S,
+    ) -> Result<RemoteConfig, Box<dyn std::error::Error>> {
+        let parsed_remote_config: RemoteConfig = toml::from_str(contents.as_ref())?;
+        assert!(
+            parsed_remote_config.version == "0.0.1",
+            "We only support version 0.0.1 currently."
+        );
+        Ok(parsed_remote_config)
+    }
+
+    pub(crate) fn get_push_triggers_for_branch<B: AsRef<str>>(
+        &self,
+        branch: B,
+    ) -> Result<Vec<&TriggerPush>, Box<dyn std::error::Error>> {
+        let branch = branch.as_ref();
+        let mut ret = Vec::new();
+        for push in &self.push {
+            let skip_regex: Vec<_> = push
+                .skip_branches
+                .iter()
+                .map(|s| Regex::new(s.as_str()))
+                .collect::<Result<_, _>>()?;
+            if skip_regex.iter().any(|r| r.is_match(branch)) {
+                continue;
+            }
+
+            let match_regex: Vec<_> = push
+                .branches
+                .iter()
+                .map(|s| Regex::new(s.as_str()))
+                .collect::<Result<_, _>>()?;
+            if !push.branches.is_empty() && !match_regex.iter().any(|r| r.is_match(branch)) {
+                continue;
+            }
+
+            ret.push(push);
+        }
+        Ok(ret)
+    }
+}

src/webhook.rs

@@ -0,0 +1,233 @@
+use std::borrow::Borrow;
+use std::collections::HashSet;
+use std::future::Future;
+
+use axum::async_trait;
+use axum::body::Body;
+use axum::body::Bytes;
+use axum::extract::FromRequest;
+use axum::extract::Request;
+use axum::extract::State;
+use axum::http::HeaderMap;
+use axum::http::StatusCode;
+use axum::middleware::Next;
+use axum::response::IntoResponse;
+use axum::response::Response;
+use axum::Json;
+use axum::RequestExt;
+use base64::engine::general_purpose;
+use base64::Engine as _;
+use hmac::Hmac;
+use hmac::Mac;
+use http_body_util::BodyExt;
+use serde::Serialize;
+use sha2::Sha256;
+use tracing::debug;
+
+use crate::app_state::AppState;
+use crate::discovery::discover_matching_push_triggers;
+use crate::discovery::discover_webhook_bridge_config;
+use crate::gitea_client::GiteaClient;
+use crate::hook_push::HookPush;
+use crate::hook_push::PipelineParamters;
+use crate::kubernetes::run_pipelines;
+
+type HmacSha256 = Hmac<Sha256>;
+
+pub(crate) async fn hook(
+    _headers: HeaderMap,
+    State(state): State<AppState>,
+    payload: HookRequest,
+) -> (StatusCode, Json<HookResponse>) {
+    debug!("REQ: {:?}", payload);
+    match payload {
+        HookRequest::Push(webhook_payload) => {
+            let kubernetes_client: kube::Client = kube::Client::try_default()
+                .await
+                .expect("Set KUBECONFIG to a valid kubernetes config.");
+
+            let gitea_api_root = std::env::var("WEBHOOK_BRIDGE_API_ROOT");
+            let gitea_api_token = std::env::var("WEBHOOK_BRIDGE_OAUTH_TOKEN");
+            let (gitea_api_root, gitea_api_token) = match (gitea_api_root, gitea_api_token) {
+                (Ok(r), Ok(t)) => (r, t),
+                _ => {
+                    return (
+                        StatusCode::OK,
+                        Json(HookResponse {
+                            ok: true,
+                            message: None,
+                        }),
+                    );
+                }
+            };
+            let gitea = GiteaClient::new(gitea_api_root, gitea_api_token);
+
+            let push_result = handle_push(
+                gitea,
+                kubernetes_client,
+                state.allowed_repos.borrow(),
+                webhook_payload,
+            )
+            .await;
+            match push_result {
+                Ok(_) => (
+                    StatusCode::OK,
+                    Json(HookResponse {
+                        ok: true,
+                        message: None,
+                    }),
+                ),
+                Err(_) => (
+                    // StatusCode::INTERNAL_SERVER_ERROR,
+                    StatusCode::OK,
+                    Json(HookResponse {
+                        ok: false,
+                        message: Some("Failed to handle push event.".to_string()),
+                    }),
+                ),
+            }
+        }
+        HookRequest::Unrecognized(payload) => (
+            // StatusCode::BAD_REQUEST,
+            StatusCode::OK,
+            Json(HookResponse {
+                ok: false,
+                message: Some(format!("unrecognized event type: {payload}")),
+            }),
+        ),
+    }
+}
+
+#[derive(Debug)]
+pub(crate) enum HookRequest {
+    Push(HookPush),
+    Unrecognized(String),
+}
+
+#[async_trait]
+impl<S> FromRequest<S> for HookRequest
+where
+    S: Send + Sync,
+{
+    type Rejection = Response;
+
+    async fn from_request(req: Request, _state: &S) -> Result<Self, Self::Rejection> {
+        let event_type = req
+            .headers()
+            .get("X-Gitea-Event-Type")
+            .ok_or(StatusCode::UNSUPPORTED_MEDIA_TYPE.into_response())?;
+        let event_type = event_type
+            .to_str()
+            .map_err(|_| StatusCode::UNSUPPORTED_MEDIA_TYPE.into_response())?;
+        match event_type {
+            "push" => {
+                let Json(payload): Json<HookPush> =
+                    req.extract().await.map_err(IntoResponse::into_response)?;
+                Ok(HookRequest::Push(payload))
+            }
+            _ => Ok(HookRequest::Unrecognized(event_type.to_owned())),
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+pub(crate) struct HookResponse {
+    ok: bool,
+    message: Option<String>,
+}
+
+pub(crate) async fn verify_signature(
+    request: Request,
+    next: Next,
+) -> Result<impl IntoResponse, Response> {
+    let signature = request
+        .headers()
+        .get("X-Gitea-Signature")
+        .ok_or(StatusCode::BAD_REQUEST.into_response())?;
+    let signature = signature
+        .to_str()
+        .map_err(|_| StatusCode::BAD_REQUEST.into_response())?;
+    let signature = hex_to_bytes(signature).ok_or(StatusCode::BAD_REQUEST.into_response())?;
+    let secret = std::env::var("WEBHOOK_BRIDGE_HMAC_SECRET")
+        .map_err(|err| (StatusCode::INTERNAL_SERVER_ERROR, err.to_string()).into_response())?;
+
+    let request =
+        inspect_request_body(request, move |body| check_hash(body, secret, signature)).await?;
+
+    Ok(next.run(request).await)
+}
+
+async fn inspect_request_body<F, Fut>(request: Request, inspector: F) -> Result<Request, Response>
+where
+    F: FnOnce(Bytes) -> Fut,
+    Fut: Future<Output = Result<Bytes, Response>>,
+{
+    let (parts, body) = request.into_parts();
+
+    let bytes = body
+        .collect()
+        .await
+        .map_err(|err| (StatusCode::INTERNAL_SERVER_ERROR, err.to_string()).into_response())?
+        .to_bytes();
+
+    let bytes = inspector(bytes).await?;
+
+    Ok(Request::from_parts(parts, Body::from(bytes)))
+}
+
+async fn check_hash(body: Bytes, secret: String, signature: Vec<u8>) -> Result<Bytes, Response> {
+    tracing::debug!("Checking signature {:02x?}", signature.as_slice());
+    // tracing::info!("Using secret {:?}", secret);
+    tracing::debug!("and body {}", general_purpose::STANDARD.encode(&body));
+    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response())?;
+    mac.update(&body);
+    mac.verify_slice(&signature)
+        .map_err(|e| (StatusCode::UNAUTHORIZED, e.to_string()).into_response())?;
+    Ok(body)
+}
+
+fn hex_to_bytes(s: &str) -> Option<Vec<u8>> {
+    if s.len() % 2 == 0 {
+        (0..s.len())
+            .step_by(2)
+            .map(|i| {
+                s.get(i..i + 2)
+                    .and_then(|sub| u8::from_str_radix(sub, 16).ok())
+            })
+            .collect()
+    } else {
+        None
+    }
+}
+
+pub(crate) async fn handle_push(
+    gitea: GiteaClient,
+    kubernetes_client: kube::Client,
+    allowed_repos: &HashSet<String>,
+    webhook_payload: HookPush,
+) -> Result<(), Box<dyn std::error::Error>> {
+    let repo_owner = webhook_payload.get_repo_owner()?;
+    let repo_name = webhook_payload.get_repo_name()?;
+    let pull_base_sha = webhook_payload.get_pull_base_sha()?;
+    if !allowed_repos.contains(&webhook_payload.repository.full_name) {
+        tracing::info!(
+            "{} is not an allowed repository.",
+            webhook_payload.repository.full_name
+        );
+        return Ok(());
+    }
+    let repo_tree = gitea.get_tree(repo_owner, repo_name, pull_base_sha).await?;
+    let remote_config = discover_webhook_bridge_config(&gitea, &repo_tree).await?;
+    let pipelines = discover_matching_push_triggers(
+        &gitea,
+        &repo_tree,
+        &webhook_payload.ref_field,
+        &remote_config,
+    )
+    .await?;
+
+    run_pipelines(webhook_payload, pipelines, kubernetes_client).await?;
+
+    Ok(())
+}