Prevent trigger API from DoS when trigger ID is exposed

A token is not needed for consuming solum trigger API, that may be a vulnerability for DoS, especially when trigger ID is exposed. We propose the following approach to solve this issue. When solum creates a plan, a secret key is generated and put into db, also registered with user. For the Github-hosted code we can leverage its webhook API (https://developer.github.com/v3/repos/hooks/#create-a-hook) to register the key with the repo securely. So each time Github sends out a request (e.g. on a pull request) to solum trigger API, a signature is computed from the payload by using the key and included in its 'X-Hub-Signature' header. Solum can then do a hash compare to decide whether to accept or reject the request.