Although there is no official authentication spec, a shared key and source IP verification is better than nothing and is what I implemented.
It turns out that authentication is not impossible, but is certainly also not terribly likely to provide any assurance of integrity. However, it is better than nothing and the best I have to offer at the moment.
I implemented a pair of simple verifications to protect users of mod_github_sync: source IP white-listing and URL token verification. Both have obvious weaknesses, but together they certainly keep the run of the mill vandal off the scent.
A denial of service is possible with this module as a determined attacker could tie up the server with a lot of git pulls and module rescans if they manage to spoof the IPs and guess the token.
My assessment is that anyone capable of spoofing IPs in a TCP session likely has easier ways of attacking the Zotonic server than this.