Steps to reproduce

1. Configure GitHub plugin properly, such that web hooks trigger builds on push
2. Change the shared secret in Jenkins
3. Re-register all hooks
4. Trigger web hook in GitHub
5. Result: Web hook fails with HTTP status code 400, response

   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
   <title>Error 400 Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</title>
   </head>
   <body><h2>HTTP ERROR 400</h2>
   <p>Problem accessing /github-webhook/. Reason:
   <pre>    Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>
   
   </body>
   </html>

Steps to fix manually

1. Delete broken web hook
2. Re-register web hooks
3. Result: Web hook works again

Best-Effort Analysis

After a bit of digging, it seems to me that the GitHub plugin does not update already existing hooks, see https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/WebhookManager.java#L195:

if (hooks.size() == 1 && isEqualCollection(alreadyRegistered, events)) {
    LOGGER.debug("Hook already registered for events {}", events);
    return null;
}

According to the commit message, this was intentional. If desired, I am happy to provide a pull request to fix this issue. I see the following options:

• Re-register all hooks without checking for already existing hooks. One-liner, but not efficient for many hooks.
• Update the value of the shared secret for already existing hooks. More efficient, but requires a upgrade of the GitHub API. I'm not sure whether the secret is the only thing that requires an update.