Sharang Parnerkar
3fa0e26bd1
When `orca webhooks add` registers a webhook it generates a signing secret by default; orca then requires X-Hub-Signature-256 on inbound POSTs (the public master at :6880 means anyone could otherwise fire a deploy by crafting the JSON body). Adds the signing step using the standard github-shaped header. The secret is consumed from a new Gitea Actions secret ORCA_WEBHOOK_SECRET on this repo — value provided out-of-band from the master. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>