Deprecate and remove shared secret from webhook payloads

[JustAnotherArchivist]

Gitea currently sends the secret in the webhook payload in plaintext. This renders signature validation entirely useless since an attacker could freely manipulate the payload without detection.

Signatures were originally requested in #3901 and added in #6428. This problem was also mentioned in a comment in the former, but no separate issue for this security problem has been filed. Since then, it has been mentioned in a few comments that the secret is deprecated and will be removed (e.g. #7487 (comment), #5173 (comment)). However, a deprecation notice in the changelog and the documentation is missing, so only few people will notice.

An official deprecation warning should be added to the changelog as soon as possible, ideally with the release of 1.12.0. This should also include information on when the field will be removed entirely.

[JustAnotherArchivist]

A note on the webhook documentation: that's already quite outdated (missing fields, headers, etc.) and very incomplete. I'm working on a full rewrite (cf. #9485), but I currently don't know when that will be finished. Until then, I'd suggest simply adding a deprecation warning above the push example with a reference to the X-Gitea-Signature header. I will be adding a full description in my rewrite, but until then, the PHP example already illustrates how to validate that.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[JustAnotherArchivist]

Yes, this is still valid.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[zeripath]

AFAICS this is still present but it needs a security tag.

I don't understand completely why this was ever put there, and therefore I don't know why it hasn't been removed - but clearly it needs to be dealt with.

Now this is too late for 1.13 but I think we can just deprecate the secret from 1.13 so that it will be gone from 1.14 and anyone requiring it just has to do something about it.

[rakshith-ravi]

@zeripath shouldn't this be moved to 1.14.0 milestone instead of 1.14? (Why do we even have 1.14 in the first place?) Just making sure there's no duplicate milestones created