GitHub Webhook Validation issues
There seems to be some issue with the hash validation on GH release events.
SHA-256 seems to come in over the 'X-Hub-Signature-256' header, and is calculated by a combination of the request body and the secret key, as per: https://docs.github.com/en/webhooks/webhook-events-and-payloads . Right now Terrareg appears to be passing an empty byte string to the HMAC function and is attempting to pull the SHA-256 hash from the 'X-Hub-Signature' header, which is a SHA-1 hash. I've tried a few local changes, but am struggling to get the auth to work. I'll post if I find any solution here.