I am currently learning about GitHub Application development, and I am a little confused on how all the security fits together.
It seems that every GitHub App has a Webhook Secret and a Private Key. I am wondering why there are two measures put in place like this. It seems like I now have to protect two pieces of sensitive data when one (the private key) should suffice for both scenarios.
That is, it would seem that data sent from GitHub Webhooks could be signed by the public key, and then verified using the private key, in lieu of using a secret.
Please let me know if I have something misunderstood here. Quite possible since I am learning a lot here.