Incoming GitHub webhook requests for the close-submitted webhooks are

now safe from unintentional requests (for incompatible events) or

malicious payloads (from people guessing the URL and sending payloads to

close various review requests).
We now require that the webhook on GitHub be configured with the Secret

field filled out. It must be set to the value of the repository's

hooks_uuid field. The incoming payload will then be validated for a

signature generated with those payload contents and that secret.
The handler will also filter out non-push events, in case the webhook

was configured to "send everything."
This change (and the upcoming ones for Bitbucket and Google Code) do

break backwards-compatibility for existing hooks, but this is necessary

(and we have labeled this an experimental feature).
An upcoming change will assist users in filling out the webhook field

information, along with the value for the Secret field.

Unit tests pass.
We'll need to test this in production once the change goes in.