[FEAT]: Support hot-swapping of webhook secrets

[dbartol]

Describe the need

In my GitHub app, I have a couple different situations in which I'd like to support changing the webhook secret without restarting my service:

Initial configuration

Instances of my app are deployed via the GitHub App flow, where I create a new GitHub App from a manifest. When I first deploy a new instance of my service, it hasn't been registered as a GitHub app yet, so I don't yet know its webhook secret. Therefore, it should not accept any webhooks yet. Once the app registration is complete, though, I obtain the webhook secret for the new app, and I'd like to start accepting webhooks validated against that secret.

Secret rotation

I'd like to rotate my webhook secret periodically, or at least allow for a situation where my secret has been compromised and I need to manually change it. With the current code, I'd have to at least restart every service instance in my cluster just to update the secret. In addition, there could be webhooks already in flight for the old key, and I'd like to have a short period where I accept webhook requests that are signed with either the old or the new secret.

I'll open an initial PR shortly. As a bonus, I'll take care of existing issue #24, since I have to make changes to the validation code anyway.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!