Switch to using X-Hub-Signature-256 for GitHub

> Make sure you are using the correct header. GitHub recommends that you
> use the `X-Hub-Signature-256` header, which uses the HMAC-SHA256 algorithm.
> The X-Hub-Signature header uses the HMAC-SHA1 algorithm and is only
> included for legacy purposes.

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: StevenMaude

pkg/hookbot/hookbot.go

@@ -377,7 +377,7 @@ func (h *Hookbot) ServePublish(w http.ResponseWriter, r *http.Request) {
 		case "github":
 
 			body, err = json.Marshal(map[string]interface{}{
-				"Signature": r.Header.Get("X-Hub-Signature"),
+				"Signature": r.Header.Get("X-Hub-Signature-256"),
 				"Event":     r.Header.Get("X-GitHub-Event"),
 				"Delivery":  r.Header.Get("X-GitHub-Delivery"),
 				"Payload":   body,

pkg/router/github/auth.go

@@ -3,6 +3,7 @@ package github
 import (
 	"crypto/hmac"
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/json"
 	"fmt"
@@ -15,6 +16,12 @@ func Sha1HMAC(key string, payload []byte) string {
 	return fmt.Sprintf("%x", mac.Sum(nil))
 }
 
+func Sha256HMAC(key string, payload []byte) string {
+	mac := hmac.New(sha256.New, []byte(key))
+	_, _ = mac.Write(payload)
+	return fmt.Sprintf("%x", mac.Sum(nil))
+}
+
 func SecureEqual(x, y string) bool {
 	if subtle.ConstantTimeCompare([]byte(x), []byte(y)) == 1 {
 		return true
@@ -39,7 +46,7 @@ func IsValidGithubSignature(secret string, message []byte) bool {
 	}
 
 	expected := m.Signature
-	got := fmt.Sprintf("sha1=%v", Sha1HMAC(secret, m.Payload))
+	got := fmt.Sprintf("sha256=%v", Sha256HMAC(secret, m.Payload))
 
 	log.Printf("Expected = %v got = %v", expected, got)