GitHub webhook signature verifier.
HMAC-SHA256 over the raw request body, digest in the
X-Hub-Signature-256 header with a sha256= prefix. No timestamp
header — GitHub doesn't send one.
Registration config
secret_key (required) — the key name resolved via CredentialProvider.