Non-Breaking Changes to GitHub Secret Verification

• GITHUBAPP_SECRET can now be set to False to skip verifying the signature of
  the webhook payload.

• The X-Hub-Signature-256 header is now preferred for signature checking.
  Previously, X-Hub-Signature (and sha1) were used to verify the payload.