As evidenced in #10, I can send arbitrary triggers to the webhook without authentication or verification. GitHub apparently sends an X-Hub-Signature header using a secret which could possibly be used to verify the webhook sender and payload.
Agreed. I decided not to check this because the behaviour is a tightly limited set, but there is no harm in preventing arbitrary execution of that set.
As evidenced in #10, I can send arbitrary triggers to the webhook without authentication or verification. GitHub apparently sends an
X-Hub-Signature
header using a secret which could possibly be used to verify the webhook sender and payload.