fix(webhook): harden security and reliability

- Require non-default WEBHOOK_SECRET\n- Strict main/master ref matching\n- Constant-time HMAC signature check\n- Limit request body and add server timeouts\n- Single-flight deploy lock; pass ref/commit to deploy.sh\n- deploy.sh deploys correct branch (main/master)

deploy.sh

@@ -8,6 +8,10 @@ set -e
 REPO_ROOT="/app"
 LOG_FILE="/tmp/billai_deploy.log"
 
+# 可由 webhook 传入：GIT_REF=refs/heads/main 或 refs/heads/master
+GIT_REF="${GIT_REF:-}"
+GIT_COMMIT="${GIT_COMMIT:-}"
+
 # 颜色输出
 RED='\033[0;31m'
 GREEN='\033[0;32m'
@@ -36,13 +40,39 @@ log "=========================================="
 cd "$REPO_ROOT" || error "无法进入仓库目录: $REPO_ROOT"
 log "📁 工作目录: $(pwd)"
 
+if [ -n "$GIT_REF" ]; then
+    log "🌿 触发分支: $GIT_REF"
+fi
+if [ -n "$GIT_COMMIT" ]; then
+    log "🧾 触发提交: ${GIT_COMMIT:0:7}"
+fi
+
 # 拉取最新代码
 log "📥 正在拉取最新代码..."
 if ! git fetch origin; then
     error "git fetch 失败"
 fi
 
-if ! git reset --hard origin/master; then
+# 选择部署分支（优先使用 webhook 传入的 ref）
+DEPLOY_BRANCH=""
+if [ "$GIT_REF" = "refs/heads/main" ]; then
+    DEPLOY_BRANCH="main"
+elif [ "$GIT_REF" = "refs/heads/master" ]; then
+    DEPLOY_BRANCH="master"
+fi
+
+# 兜底：按远端分支存在性选择（兼容仓库从 master 切到 main）
+if [ -z "$DEPLOY_BRANCH" ]; then
+    if git show-ref --verify --quiet refs/remotes/origin/main; then
+        DEPLOY_BRANCH="main"
+    else
+        DEPLOY_BRANCH="master"
+    fi
+fi
+
+log "🌿 部署分支: $DEPLOY_BRANCH"
+
+if ! git reset --hard "origin/$DEPLOY_BRANCH"; then
     error "git reset 失败"
 fi