Github - Require webhook_token

It's quite unsafe to run without webhook_token, and quite easy for us to
run our tests with a terribly predictable one. This will ensure that
nobody accidentally runs a Zuul vulnerable to MITM proxy attacks.

Per the link right under the doc we just changed, we also use
hmac.compare_digest to prevent timing analysis by malicious attackers
which would help them discover the secret.

Change-Id: Ie8aa83b81b8e4ef1bb755a664bf416a8663930fa
diff --git a/doc/source/admin/drivers/github.rst b/doc/source/admin/drivers/github.rst
index 5075f80..3c46be9 100644
--- a/doc/source/admin/drivers/github.rst
+++ b/doc/source/admin/drivers/github.rst
@@ -48,9 +48,8 @@
   <https://help.github.com/articles/creating-an-access-token-for-command-line-use/>`_.
 
 **webhook_token**
-  Optional: Token for validating the webhook event payloads.
-  If not specified, payloads are not validated. In the GitHub App Configuration
-  page, this is called "Webhook secret".
+  Required token for validating the webhook event payloads.  In the
+  GitHub App Configuration page, this is called "Webhook secret".
   See `Securing your webhooks
   <https://developer.github.com/webhooks/securing/>`_.