The secret is used to sign the webhook so you can verify the signature to ensure you know the webhook came from GitHub. If an attacker were to learn or guess the secret, they would be able to create fake events and sign them with the same secret, so you would think they came from GitHub. They would not, however, get access to receive your webhooks.
The secret is used to sign the webhook so you can verify the signature to ensure you know the webhook came from GitHub. If an attacker were to learn or guess the secret, they would be able to create fake events and sign them with the same secret, so you would think they came from GitHub. They would not, however, get access to receive your webhooks.