(wip) lib: add github webhook

lib/github/default.nix

@@ -1,5 +1,6 @@
 utils:
 utils.importer "github" [
+  ./githubWebhook.nix
   ./mkGithubJobsets.nix
   ./mkGithubProject.nix
   ./mkGithubStatus.nix

lib/github/githubWebhook.nix

@@ -0,0 +1,38 @@
+utils: lib: let
+  inherit
+    (lib)
+    eachSystem
+    ;
+in {
+  githubWebhook = eachSystem (system: let
+    pkgs = utils.pkgs.${system};
+  in
+    pkgs.writeShellApplication {
+      name = "action";
+      runtimeInputs = [
+        pkgs.curl
+        pkgs.gnused
+        pkgs.jq
+        pkgs.openssl
+      ];
+      text = ''
+        input=$(cat)
+
+        headers=$(echo "$input" | jq '.input.headers')
+        body=$(echo "$input" | jq '.input.body' -r)
+        secret=$(echo "$input" | jq '.secrets.github_webhook_secret' -r)
+
+        event=$(echo "$headers" | jq '."X-GitHub-Event"' -r)
+        [ "$event" == "push" ] || exit 0
+
+        signatureSent=$(echo "$headers" | jq '."X-Hub-Signature-256"')
+        signatureComputed=$(echo -n "$body" | openssl dgst -sha256 -hmac "$secret" -binary | base64 -w 0)
+        [ "$signatureSent" == "$signatureComputed" ]
+
+        echo null | jq --argjson body "$body" '[]
+          | if $body.created or $body.deleted then . + [{"command":"UpdateJobsets"}] else . end
+          | if $body.deleted | not then . + [{"command":"EvaluateJobset","jobset":$body.ref|split("/")|.[2]}] else . end
+          | .'
+      '';
+    });
+}

lib/github/mkGithubProject.nix

@@ -5,6 +5,7 @@ _: lib: let
     ;
   inherit
     (lib.github)
+    githubWebhook
     mkGithubJobsets
     mkGithubStatus
     ;
@@ -23,6 +24,7 @@ in {
         jobsets = mkGithubJobsets {inherit owner repo;};
         begin = mkGithubStatus {inherit owner repo;};
         end = mkGithubStatus {inherit owner repo;};
+        webhook = githubWebhook;
       };
       inherit secrets;
     };