gitea push hook secret comes from the payload not a form

[jstrachan]

just tried gitea's push webhook handling and it looks like the secret comes in via the json payload rather than via a form.

PR on its way...

[bradrydzewski]

The secret was deprecated in favor of using the hmac signature in the header to verify authenticity. One of the gitea maintainers recently submitted a pull request to support hmac verification, with a fallback to reading the secret. See #24.

[tboerger]

Can we close this issue?

[ashwilliams1]

I think this remains an open issue. The secret should come from the payload, but the current implementation gets the value from a URL query parameter (via req.FormValue) which is Drone-specific. I think this may also require an update to the Gitea webhook creation code.

[tboerger]

But the secret had been deprecated in favor of the hmac signature?