github: support multiple webhook secrets

[ubiratansoares]

Added this support to beter manage github webhook updates minimizing the impact.

Kept the envvar name for the sake of simplicity.

[marcoieni]

AI suggestion:

Trim each secret and reject empty entries to guard against trailing commas and accidental whitespace:

for secret in gh_webhook_secrets.split(',') {
    let secret = secret.trim();
    if secret.is_empty() {
        // or also consider failing to avoid misconfigurations
        continue;
    }
    let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes())
        .expect("GITHUB_WEBHOOK_SECRET contains an invalid key");
    mac.update(payload);
    if mac.verify_slice(&signature).is_ok() {
        return Ok(());
    }
}


  This restores the fail-loud behavior for truly invalid keys while cleanly skipping empty segments from trailing commas.

But maybe it's better to do these validations at startup instead of doing them on a per request basis to avoid impacting performance

[marcoieni]

This is also another nice AI suggestion:

Consider logging a warning at startup (not per-request) if more than one secret is configured, so operators have visibility that rotation mode is active.