Webhook incorrectly reports success on ping event from GitHub with invalid secret

[ncstate-mafields]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.21.0
• Ruby: ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
• Distribution: Red Hat Enterprise Linux release 8.7 (Ootpa)
• Module version: 10.3.0

How to reproduce (e.g Puppet code you use)

class { 'r10k::webhook::config':
  enable_ssl     => false,
  protected      => false,
  github_secret  => 'secret',
  generate_types => false,
}
-> class { 'r10k::webhook':
  use_mcollective => false,
  user            => 'root',
  group           => 'root',
}

What are you seeing

The webhook reports success to GitHub during the initial setup in response to the ping event, even when the secret value is incorrect. Subsequent push events then fail, since the secret/signature is incorrect.

What behaviour did you expect instead

The initial ping event should fail if there is a secret configured, and the secret value in GitHub is incorrect.

Output log

Any additional information you'd like to impart

Currently it looks like the code just bails with an empty 200 response if it sees the ping event. It should probably evaluate the signature first in all cases, then decide to bail on a ping.