Implement GitHub webhook signature validation

[TooAngel]

Summary

Currently the GitHub webhook endpoint at accepts all webhook requests without validating they come from GitHub. This is a security risk as malicious actors could send fake webhook events.

Requirements

• Validate GitHub webhook signatures using HMAC-SHA256 and the GITHUB_WEBHOOK_SECRET environment variable
• Reject webhooks with invalid or missing signatures with HTTP 401
• Log security events for monitoring

Implementation Details

The webhook signature validation should:

1. Read the X-Hub-Signature-256 header from incoming webhook requests
2. Calculate HMAC-SHA256 of the request body using GITHUB_WEBHOOK_SECRET
3. Compare the calculated signature with the provided signature using constant-time comparison
4. Return HTTP 401 for invalid signatures before processing the webhook

Security Benefits

• Prevents webhook spoofing attacks
• Ensures webhook events are authentic GitHub requests
• Protects against unauthorized repository manipulation

Environment Variables

The GITHUB_WEBHOOK_SECRET environment variable is already configured in production.

Files to Modify

• src/index.js - Add signature validation middleware to /github endpoint
• Consider creating src/helpers/webhookSecurity.js for reusable validation logic

References

• GitHub Webhook Security Documentation