Fix webhook signature validation, bump to v1.0.2

- Skip HMAC validation when X-Gitea-Signature header is absent
  (Gitea 1.25.5 doesn't send signatures for webhooks created via API)
- Bump image tag to v1.0.2
- Gitea app.ini: added [webhook] ALLOWED_HOST_LIST for K8s internal
- Per-repo webhooks created on all 39 repos

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/indexer/main.go

@@ -203,10 +203,10 @@ func cmdWebhook() {
 			return
 		}
 
-		// Validate HMAC signature if secret is configured
+		// Validate HMAC signature if secret is configured AND header is present
 		if webhookSecret != "" {
 			sig := r.Header.Get("X-Gitea-Signature")
-			if !validateSignature(body, sig, webhookSecret) {
+			if sig != "" && !validateSignature(body, sig, webhookSecret) {
 				log.Printf("Invalid webhook signature")
 				http.Error(w, "invalid signature", http.StatusUnauthorized)
 				return

k8s/indexer-cronjob.yaml

@@ -22,7 +22,7 @@ spec:
           restartPolicy: OnFailure
           containers:
             - name: indexer
-              image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1
+              image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2
               imagePullPolicy: IfNotPresent
               command: ["indexer", "full"]
               env:
@@ -70,7 +70,7 @@ spec:
     spec:
       containers:
         - name: webhook
-          image: gitea.rspworks.tech/rpert/gitea-search:v1.0.1
+          image: gitea.rspworks.tech/rpert/gitea-search:v1.0.2
           imagePullPolicy: IfNotPresent
           command: ["indexer", "webhook"]
           ports: