Build using nix.

docker/webhook_bridge/Dockerfile

@@ -1,18 +1,36 @@
-# syntax=docker/dockerfile:1
+#
-ARG ALPINE_VERSION="3.20"
+# Builder
+#
 
-FROM rustlang/rust:nightly-alpine$ALPINE_VERSION AS builder
+FROM nixos/nix:latest AS builder
 
-RUN apk add --no-cache musl-dev pkgconfig libressl-dev
+COPY . /tmp/build
+WORKDIR /tmp/build
 
-RUN mkdir /source
+RUN nix \
-WORKDIR /source
+    --extra-experimental-features "nix-command flakes" \
-COPY --link . .
+    --option filter-syscalls false \
-# TODO: Add static build, which currently errors due to proc_macro. RUSTFLAGS="-C target-feature=+crt-static"
+    build '.#docker_env'
-RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked CARGO_TARGET_DIR=/target cargo build --profile release-lto --bin webhook_bridge
 
-FROM alpine:$ALPINE_VERSION AS runner
+# Export the built closure to a folder
+RUN mkdir /tmp/nix-store-closure
+RUN cp -R $(nix-store -qR result/) /tmp/nix-store-closure
+RUN ln -s $(readlink -f /tmp/build/result/bin/sh) /tmp/sh
 
-COPY --link --from=builder /target/release-lto/webhook_bridge /usr/bin/
 
-ENTRYPOINT ["/usr/bin/webhook_bridge"]
+
+#
+# Runner
+#
+
+FROM scratch
+
+WORKDIR /app
+
+ENV PATH="$PATH:/app/bin"
+
+COPY --from=builder /tmp/nix-store-closure /nix/store
+COPY --from=builder /tmp/build/result /app
+COPY --from=builder /tmp/sh /bin/sh
+EXPOSE 9988
+CMD ["/app/bin/webhook_bridge"]

flake.lock

@@ -0,0 +1,48 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1777578337,
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "rust-overlay": "rust-overlay"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1777691680,
+        "narHash": "sha256-sdCAzrPAaKu+yo7L2pWddy5PN6U9bO++WEWc1zcr7aQ=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "4757db4358c77c1cbe878fa5990e6ea88d82f6b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,92 @@
+{
+  description = "webhook-bridge development environment";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    rust-overlay = {
+      url = "github:oxalica/rust-overlay";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      rust-overlay,
+    }:
+    let
+      forAllSystems =
+        func:
+        builtins.listToAttrs (
+          map (system: {
+            name = system;
+            value = func system;
+          }) nixpkgs.lib.systems.flakeExposed
+        );
+    in
+    {
+      devShells = forAllSystems (
+        system:
+        let
+          overlays = [ (import rust-overlay) ];
+          pkgs = import nixpkgs {
+            inherit system overlays;
+          };
+          rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+        in
+        {
+          default = pkgs.mkShell {
+            nativeBuildInputs = [
+              pkgs.pkg-config
+              rustToolchain
+              pkgs.openssl
+            ];
+            buildInputs = with pkgs; [
+              # sqlx-cli # For sqlx CLI to manage migrations
+              # sqlite # To access the database (sqlite is bundled into the together_alone binary but this is for manually accessing the db).
+            ];
+          };
+        }
+      );
+      packages = forAllSystems (
+        system:
+        let
+          overlays = [ (import rust-overlay) ];
+          pkgs = import nixpkgs {
+            inherit system overlays;
+          };
+          rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+        in
+        rec {
+          app = pkgs.rustPlatform.buildRustPackage {
+            pname = "webhook-bridge";
+            version = "0.0.0";
+            src = ./.;
+
+            # If you have a Cargo.lock file, use this:
+            cargoLock.lockFile = ./Cargo.lock;
+
+            nativeBuildInputs = [
+              pkgs.pkg-config
+            ];
+            buildInputs = [
+              pkgs.openssl
+            ];
+          };
+          docker_env = pkgs.buildEnv {
+            name = "webhook-bridge";
+            paths = with pkgs; [
+              app
+              bash
+              uutils-coreutils-noprefix
+              # toybox # Smaller than uutils-coreutils?
+            ];
+          };
+          default = app;
+        }
+      );
+    };
+}

local_payload.json

@@ -1,14 +1,37 @@
 {
-  "ref": "refs/tags/v0.0.19",
+  "ref": "refs/heads/kubernetes",
-  "before": "0000000000000000000000000000000000000000",
+  "before": "e767de378a478fa41615cee71a9ba04830520d7d",
-  "after": "3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+  "after": "c83b8afd7910f25eb94d90325f3765b5d19900e4",
-  "compare_url": "https://code.fizz.buzz/talexander/webhook_bridge/compare/0000000000000000000000000000000000000000...3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+  "compare_url": "https://code.fizz.buzz/talexander/machine_setup/compare/e767de378a478fa41615cee71a9ba04830520d7d...c83b8afd7910f25eb94d90325f3765b5d19900e4",
-  "commits": [],
+  "commits": [
-  "total_commits": 0,
+    {
+      "id": "c83b8afd7910f25eb94d90325f3765b5d19900e4",
+      "message": "Delete images after 24 hours of being unused.\n",
+      "url": "https://code.fizz.buzz/talexander/machine_setup/commit/c83b8afd7910f25eb94d90325f3765b5d19900e4",
+      "author": {
+        "name": "Tom Alexander",
+        "email": "tom@fizz.buzz",
+        "username": ""
+      },
+      "committer": {
+        "name": "Tom Alexander",
+        "email": "tom@fizz.buzz",
+        "username": ""
+      },
+      "verification": null,
+      "timestamp": "2026-05-02T15:53:35-04:00",
+      "added": [],
+      "removed": [],
+      "modified": [
+        "nix/kubernetes/roles/kubelet/default.nix"
+      ]
+    }
+  ],
+  "total_commits": 1,
   "head_commit": {
-    "id": "3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+    "id": "c83b8afd7910f25eb94d90325f3765b5d19900e4",
-    "message": "Add support for new fields in payload.\n",
+    "message": "Delete images after 24 hours of being unused.\n",
-    "url": "https://code.fizz.buzz/talexander/webhook_bridge/commit/3f2bdda8cb81fae6072c139f1f3f3123493a5b87",
+    "url": "https://code.fizz.buzz/talexander/machine_setup/commit/c83b8afd7910f25eb94d90325f3765b5d19900e4",
     "author": {
       "name": "Tom Alexander",
       "email": "tom@fizz.buzz",
@@ -20,18 +43,15 @@
       "username": ""
     },
     "verification": null,
-    "timestamp": "2025-02-08T20:58:55-05:00",
+    "timestamp": "2026-05-02T15:53:35-04:00",
-    "added": [
+    "added": [],
-      "rust-toolchain.toml"
-    ],
     "removed": [],
     "modified": [
-      "run.bash",
+      "nix/kubernetes/roles/kubelet/default.nix"
-      "src/hook_push.rs"
     ]
   },
   "repository": {
-    "id": 21,
+    "id": 5,
     "owner": {
       "id": 1,
       "login": "talexander",
@@ -57,23 +77,22 @@
       "starred_repos_count": 0,
       "username": "talexander"
     },
-    "name": "webhook_bridge",
+    "name": "machine_setup",
-    "full_name": "talexander/webhook_bridge",
+    "full_name": "talexander/machine_setup",
-    "description": "A server that receives webhooks from gitea and fires off Tekton jobs in response.",
+    "description": "",
     "empty": false,
     "private": false,
     "fork": false,
     "template": false,
-    "parent": null,
     "mirror": false,
-    "size": 168,
+    "size": 9940,
     "language": "",
-    "languages_url": "https://code.fizz.buzz/api/v1/repos/talexander/webhook_bridge/languages",
+    "languages_url": "https://code.fizz.buzz/api/v1/repos/talexander/machine_setup/languages",
-    "html_url": "https://code.fizz.buzz/talexander/webhook_bridge",
+    "html_url": "https://code.fizz.buzz/talexander/machine_setup",
-    "url": "https://code.fizz.buzz/api/v1/repos/talexander/webhook_bridge",
+    "url": "https://code.fizz.buzz/api/v1/repos/talexander/machine_setup",
     "link": "",
-    "ssh_url": "git@code.fizz.buzz:talexander/webhook_bridge.git",
+    "ssh_url": "git@git.example.com:talexander/machine_setup.git",
-    "clone_url": "https://code.fizz.buzz/talexander/webhook_bridge.git",
+    "clone_url": "https://code.fizz.buzz/talexander/machine_setup.git",
     "original_url": "",
     "website": "",
     "stars_count": 0,
@@ -84,14 +103,15 @@
     "release_counter": 0,
     "default_branch": "main",
     "archived": false,
-    "created_at": "2024-07-14T18:48:52Z",
+    "created_at": "2023-07-05T22:53:26Z",
-    "updated_at": "2025-02-09T02:12:22Z",
+    "updated_at": "2026-05-02T19:53:11Z",
     "archived_at": "1970-01-01T00:00:00Z",
     "permissions": {
       "admin": true,
       "push": true,
       "pull": true
     },
+    "has_code": true,
     "has_issues": true,
     "internal_tracker": {
       "enable_time_tracker": true,
@@ -112,6 +132,8 @@
     "allow_squash_merge": true,
     "allow_fast_forward_only_merge": false,
     "allow_rebase_update": true,
+    "allow_manual_merge": false,
+    "autodetect_manual_merge": false,
     "default_delete_branch_after_merge": false,
     "default_merge_style": "merge",
     "default_allow_maintainer_edit": false,
@@ -120,58 +142,57 @@
     "mirror_interval": "",
     "object_format_name": "sha1",
     "mirror_updated": "0001-01-01T00:00:00Z",
-    "repo_transfer": null,
+    "topics": [],
-    "topics": null,
+    "licenses": []
-    "licenses": null
   },
   "pusher": {
-    "id": 2,
+    "id": 1,
-    "login": "build-bot",
+    "login": "talexander",
     "login_name": "",
     "source_id": 0,
     "full_name": "",
-    "email": "build-bot@noreply.code.fizz.buzz",
+    "email": "talexander@noreply.code.fizz.buzz",
-    "avatar_url": "https://code.fizz.buzz/avatars/e39ef2faba8a3dfb3dcb4d8275a532d4",
+    "avatar_url": "https://code.fizz.buzz/avatars/9d402a89b5a0786f83c1b8c5486fc7ff3d083a54fe20e55c0a776a1932c30289",
-    "html_url": "https://code.fizz.buzz/build-bot",
+    "html_url": "https://code.fizz.buzz/talexander",
     "language": "",
     "is_admin": false,
     "last_login": "0001-01-01T00:00:00Z",
-    "created": "2023-07-09T04:25:44Z",
+    "created": "2023-07-05T22:03:28Z",
     "restricted": false,
     "active": false,
     "prohibit_login": false,
     "location": "",
     "website": "",
     "description": "",
-    "visibility": "private",
+    "visibility": "public",
     "followers_count": 0,
     "following_count": 0,
     "starred_repos_count": 0,
-    "username": "build-bot"
+    "username": "talexander"
   },
   "sender": {
-    "id": 2,
+    "id": 1,
-    "login": "build-bot",
+    "login": "talexander",
     "login_name": "",
     "source_id": 0,
     "full_name": "",
-    "email": "build-bot@noreply.code.fizz.buzz",
+    "email": "talexander@noreply.code.fizz.buzz",
-    "avatar_url": "https://code.fizz.buzz/avatars/e39ef2faba8a3dfb3dcb4d8275a532d4",
+    "avatar_url": "https://code.fizz.buzz/avatars/9d402a89b5a0786f83c1b8c5486fc7ff3d083a54fe20e55c0a776a1932c30289",
-    "html_url": "https://code.fizz.buzz/build-bot",
+    "html_url": "https://code.fizz.buzz/talexander",
     "language": "",
     "is_admin": false,
     "last_login": "0001-01-01T00:00:00Z",
-    "created": "2023-07-09T04:25:44Z",
+    "created": "2023-07-05T22:03:28Z",
     "restricted": false,
     "active": false,
     "prohibit_login": false,
     "location": "",
     "website": "",
     "description": "",
-    "visibility": "private",
+    "visibility": "public",
     "followers_count": 0,
     "following_count": 0,
     "starred_repos_count": 0,
-    "username": "build-bot"
+    "username": "talexander"
   }
 }

run.bash

@@ -4,4 +4,4 @@ set -euo pipefail
 IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-RUST_LOG=webhook_bridge=DEBUG WEBHOOK_BRIDGE_API_ROOT="https://code.fizz.buzz/api" WEBHOOK_BRIDGE_HMAC_SECRET=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN) WEBHOOK_BRIDGE_OAUTH_TOKEN=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN) WEBHOOK_BRIDGE_REPO_WHITELIST="talexander/webhook_bridge,talexander/homepage,talexander/natter,talexander/poudboot,talexander/ta_waybar_pipewire,talexander/organic" cargo run
+exec env RUST_LOG=webhook_bridge=DEBUG WEBHOOK_BRIDGE_API_ROOT="https://code.fizz.buzz/api" WEBHOOK_BRIDGE_HMAC_SECRET=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN) WEBHOOK_BRIDGE_OAUTH_TOKEN=$(cat /bridge/git/mrmanager/k8s/webhook_bridge/secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN) WEBHOOK_BRIDGE_REPO_WHITELIST="talexander/webhook_bridge,talexander/homepage,talexander/natter,talexander/poudboot,talexander/ta_waybar_pipewire,talexander/organic" cargo run "${@}"

src/hook_push.rs

@@ -6,7 +6,6 @@ use serde_json::Value;
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookPush {
     #[serde(rename = "ref")]
     pub(crate) ref_field: String,
@@ -23,7 +22,6 @@ pub(crate) struct HookPush {
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookUser {
     id: u64,
     login: String,
@@ -53,7 +51,6 @@ pub(crate) struct HookUser {
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookRepository {
     id: u64,
     owner: HookUser,
@@ -64,7 +61,6 @@ pub(crate) struct HookRepository {
     private: bool,
     fork: bool,
     template: bool,
-    parent: Value, // Was null in test hook
     mirror: bool,
     size: u64,
     language: String,
@@ -89,7 +85,8 @@ pub(crate) struct HookRepository {
     archived_at: String, // TODO: parse to datetime
     permissions: HookRepositoryPermissions,
     has_issues: bool,
-    internal_tracker: HookRepositoryInternalTracker,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    internal_tracker: Option<HookRepositoryInternalTracker>,
     has_wiki: bool,
     has_pull_requests: bool,
     has_projects: bool,
@@ -112,14 +109,10 @@ pub(crate) struct HookRepository {
     mirror_interval: String,
     object_format_name: String,
     mirror_updated: String, // TODO: parse to datetime
-    repo_transfer: Value,   // Was null in test hook
-    topics: Value,          // Was null in test hook
-    licenses: Value,        // Was null in test hook
 }
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookRepositoryPermissions {
     admin: bool,
     push: bool,
@@ -128,7 +121,6 @@ pub(crate) struct HookRepositoryPermissions {
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookRepositoryInternalTracker {
     enable_time_tracker: bool,
     allow_only_contributors_to_track_time: bool,
@@ -137,7 +129,6 @@ pub(crate) struct HookRepositoryInternalTracker {
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookCommit {
     id: String,
     message: String,
@@ -153,7 +144,6 @@ pub(crate) struct HookCommit {
 
 #[allow(dead_code)]
 #[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
 pub(crate) struct HookGitUser {
     name: String,
     email: String,