Handle Jira app update webhook

What does this MR do?

As part of the lifecycle the Jira app will send a post request to /-/jira_connect/events/installed not only when the app is installed for the first time but also when the app is updated. In this case it will not send the sharedSecret parameter, instead it will send an authentication header with a valid JWT. So we can assume when atlassian_jwt_valid? it is an update hook and we can return 200 without creating a new installation.

This MR also adds a comment to the EventsController with a link to the Jira app documentation explaining lifecycle (https://developer.atlassian.com/cloud/jira/software/app-descriptor/#lifecycle)

Thanks @leipert for the proposal of this fix

Related issues

• #229114 (closed)

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• [-] Tested in all supported browsers
• [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• [-] Label as security and @ mention @gitlab-com/gl-security/appsec
• [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• [-] Security reports checked/validated by a reviewer from the AppSec team

Related to #229114 (closed)