First iteration of notification webhooks

[ChrisPenner]

Before deploying:

• Ensure the jobs file has env vars for the proxy, vault mount, vault token
• Run sql migrations

Overview

• Adds the ability to create webhooks and assign them to notification subscriptions.
• Currently supported notifications are "branch update" and "contribution created"
• Calls the provided URI with the relevant event info for each event; e.g. branch info, contribution info, project info, etc.
• Retries 3 times on failure (I log the failures in Loki, but they won't be surfaced anywhere yet). I also haven't added any form of backoff just yet.
• URIs are stored encrypted in vault in case users put passwords or tokens or w/e in there.
• Payloads include a signed attestation of the event data in a JWT signed with key, end users can use the public key to verify (or for less consequential webhooks, the data is available as plain json).

Still to do at some later point:

• Do we support custom payloads or templating? It would be helpful for things like slack messages or something, but also we could just offer first-party slack/discord integrations. It's a possible attack vector, and Github doesn't support this.
• Some sort of visibility into whether webhooks are working.
• Maybe a "test me" button to send a sample webhook for a subscription?

Implementation

• Wires up a background worker that's triggered by new events which have webhook notification subscriptions
• Adds a vault integration to Share for user secret storage.
• Adds vault to local docker-compose setup
• Adds a small python script to act as a webhook capturer in transcripts (it waits for a single request and logs it to an output file)
• Configures an http proxy to ensure end-users can't call within our private network.