Add DRONE_WEBHOOK_SECRET for GitHub webhook authentication

Fixes webhook signature validation failures causing 400 errors.
2026-02-01 20:42:07 +00:00 · 2026-02-01 20:42:07 +00:00 · 29567103d6
commit 29567103d6
parent 4a857ebefd
4 changed files with 9 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -37,6 +37,7 @@ variable "dbaas_pgadmin_password" {}
 variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
+variable "drone_webhook_secret" {}
 variable "dockerhub_registry_password" {}
 variable "oauth2_proxy_client_id" {}
 variable "oauth2_proxy_client_secret" {}
@ -442,6 +443,7 @@ module "kubernetes_cluster" {
  drone_github_client_id     = var.drone_github_client_id
  drone_github_client_secret = var.drone_github_client_secret
  drone_rpc_secret           = var.drone_rpc_secret
+  drone_webhook_secret       = var.drone_webhook_secret

  # Oauth proxy
  oauth2_proxy_client_id            = var.oauth2_proxy_client_id
--- a/modules/kubernetes/drone/main.tf
+++ b/modules/kubernetes/drone/main.tf
@ -3,6 +3,7 @@ variable "tier" { type = string }
 variable "github_client_id" {}
 variable "github_client_secret" {}
 variable "rpc_secret" {}
+variable "webhook_secret" {}
 variable "server_host" {}
 variable "server_proto" {}
 variable "rpc_host" {
@ -98,6 +99,10 @@ resource "kubernetes_deployment" "drone_server" {
            name  = "DRONE_RPC_SECRET"
            value = var.rpc_secret
          }
+          env {
+            name  = "DRONE_WEBHOOK_SECRET"
+            value = var.webhook_secret
+          }
          env {
            name  = "DRONE_SERVER_HOST"
            value = var.server_host
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -22,6 +22,7 @@ variable "dbaas_pgadmin_password" {}
 variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
+variable "drone_webhook_secret" {}
 variable "oauth2_proxy_client_id" {}
 variable "oauth2_proxy_client_secret" {}
 variable "oauth2_proxy_authenticated_emails" {}
@ -220,6 +221,7 @@ module "drone" {
  github_client_id     = var.drone_github_client_id
  github_client_secret = var.drone_github_client_secret
  rpc_secret           = var.drone_rpc_secret
+  webhook_secret       = var.drone_webhook_secret
  server_host          = "drone.viktorbarzin.me"
  server_proto         = "https"
  tier                 = local.tiers.edge
--- a/terraform.tfvars
+++ b/terraform.tfvars