feat(webhook): add webhook handler for quay.io and make improvements to the community PR

[cjcocokrisp]

This PR aims to add a Quay webhook processor to the webhook feature for Image Updater. This is accomplished by using the handler model that is used in the implementation. The handler is added along with the unit tests for it.

On top of adding the webhook handler for quay, there is also some other enhancements to the feature in this PR. The list is below.

Enhancements:

• Fixed issues with the Git Write Back method by passing Git credentials to the webhook server which was not done in the initial implementation.
• Made the webhook command more in line with the run command by adding similar options that were not present before.
• Fixed some issues regarding secrets and added a secrets mechanism for Docker and Quay (More on this below)

Secrets Changes:
The original implementation has this scheme to validate the Docker webhooks:

// Validate validates the Docker Hub webhook payload
func (d *DockerHubWebhook) Validate(r *http.Request) error {
	if r.Method != http.MethodPost {
		return fmt.Errorf("invalid HTTP method: %s", r.Method)
	}

	// If secret is configured, validate the signature
	if d.secret != "" {
		signature := r.Header.Get("X-Hub-Signature-256")
		if signature == "" {
			return fmt.Errorf("missing webhook signature")
		}

		body, err := io.ReadAll(r.Body)
		if err != nil {
			return fmt.Errorf("failed to read request body: %w", err)
		}

		// Reset body for later reading
		r.Body = io.NopCloser(strings.NewReader(string(body)))

This scheme does not actually happen with Docker. Docker does not have that sort of scheme and the only registry that I found that has that is GitHub. Docker and Quay both in fact do not have any type of secrets and signatures built into their webhooks. This issue that is open in the Docker roadmap mentions this and it is still open and people are still asking with the last reply being in June of this year.

One thing I did to combat this issue of Docker and Quay not having secrets is add in a way that secrets could kind of be added. The way this is done by using the query parameter secret to hold what would be the secret. This is not the most secure thing and is more or less just there to be there. When I go and write the docs I plan to denote how this is not the most secure thing so don't use a secret that is shared with something else for this scheme. Let me know what you think about this.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 40.41667% with 143 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.10%. Comparing base (274cfbc) to head (61e1c79).

Files with missing lines	Patch %	Lines
cmd/webhook.go	24.84%	120 Missing and 1 partial ⚠️
cmd/run.go	29.16%	17 Missing ⚠️
pkg/webhook/quay.go	93.61%	2 Missing and 1 partial ⚠️
pkg/webhook/server.go	33.33%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1197      +/-   ##
==========================================
- Coverage   64.14%   63.10%   -1.05%     
==========================================
  Files          22       23       +1     
  Lines        2990     3144     +154     
==========================================
+ Hits         1918     1984      +66     
- Misses        962     1050      +88     
  Partials      110      110              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cjcocokrisp]

Resolved feedback and added a comment above the quay payload with link to Quay docs on webhook events.