If your shared secret is vulnerable to brute forcing, it's vulnerable to brute forcing. An easy fix for this: generate your shared secret by hashing or salthashing a low-entropy password.
As a general rule though, HMAC is used with randomly generated secrets. I don't know why GitHub doesn't just tell you the secret.
As a general rule though, HMAC is used with randomly generated secrets. I don't know why GitHub doesn't just tell you the secret.
Amazon's implementation is much more correct.