Internal server error caused by unset external_webhook_token and X-Hub-Signature

If mirroring is manually enabled, and then triggered via a manually configured GitHub webhook, an internal server error will occur.

@DouweM writes https://gitlab.com/gitlab-org/gitlab-ee/issues/6588#note_86460309:

The underlying issue is that project.external_webhook_token is not set. It is only set, and X-Hub-Signature can only be used, if the GitHub webhook was automatically created by GitLab as part of the "CI/CD for external repo" flow. Otherwise, the endpoint only supports regular token authentication. I agree the error should not result in a 500 error, though!

Steps to reproduce

1. Create a project from another project with pull mirroring enabled
2. Using the GitLab pull mirroring API and a X-Hub-Signature header, trigger an update

curl -X POST -H "private-token: <token>" -H "X-Hub-Signature: sha1=57920710b7619b11df90c4ae237f0f53d77a8f54" https://gitlab.com/api/v4/projects/5118205/mirror/pull

What is the current bug behavior?

500 Internal Server Error

What is the expected correct behavior?

200 and the malformed header should be ignored.

Relevant logs and/or screenshots

https://sentry.gitlap.com/gitlab/gitlabcom/issues/225269/

Output of checks

This bug happens on GitLab.com