refactor: remove GitHub webhook signature verification and related secret from environment sample

Author: opbot-xd

src/backend/.env.sample

@@ -9,7 +9,6 @@ FRONTEND=...
 ADMIN_LIST=admin1|admin2
 MEMORY_LIMIT=500m
 ENCRYPTION_KEY=your_secure_random_base64_encryption_key_here
-GITHUB_WEBHOOK_SECRET=your_github_webhook_hmac_secret_here
 
 # Health Monitor Configuration
 PROMETHEUS_URL=http://prometheus:9090

src/backend/main.ts

@@ -2,7 +2,7 @@ import { Context, Sentry } from "./dependencies.ts";
 import { addScript, deleteScript } from "./scripts.ts";
 import { checkJWT } from "./utils/jwt.ts";
 import { addMaps, deleteMaps, getMaps, getDeploymentsByRepo, getUserToken } from "./db.ts";
-import { encryptEnv, decryptEnv, verifyGithubSignature } from "./utils/crypto.ts";
+import { encryptEnv, decryptEnv } from "./utils/crypto.ts";
 
 // ... skipping to githubWebhook
 

src/backend/utils/crypto.ts

@@ -63,25 +63,3 @@ export async function decryptEnv(cipherB64: string): Promise<string> {
     return "";
   }
 }
-
-export async function verifyGithubSignature(signatureHeader: string | null, bodyRaw: Uint8Array): Promise<boolean> {
-  if (!signatureHeader || !signatureHeader.startsWith("sha256=")) return false;
-  const expectedSig = signatureHeader.slice(7);
-
-  const secret = Deno.env.get("GITHUB_WEBHOOK_SECRET") || "debug-key!";
-  const key = await crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-
-  const signatureBytes = await crypto.subtle.sign("HMAC", key, bodyRaw);
-  
-  const hashArray = Array.from(new Uint8Array(signatureBytes));
-  const actualSig = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
-
-  // Use timing-safe comparison if available, standard OK for now
-  return actualSig === expectedSig;
-}