github auto deployment php program is not working

Push
from the Linux development environment in the local PC virtualbox ↓
Launch webhook in github private repository
↓
Invoke pull script in production server-non-bear repository
(This is Sakura rental server)

I'm thinking of building a trend that
(I'm also considering the deployment tool Altax in the future, but I'm going to simplify it first
We are proceeding to catch the flow.)

I've looked into various things and it seems that security is being considered. I have referred to the following website.

http://qiita.com/oyas/items/1cbdc3e0ac35d4316885

·The reflection on github is solid.
·The log on github returned 200 successfully.
·Log files are generated well on the server.
(Generated in the above site php script)

·After executing the pull command directly from the server to github, it was completed.
·When I realized that the ssh connection was not made after the pull was made, and when I tested it after the ssh connection, the log file was only updated.I was able to connect to the following site (Hi! account~).
http://qiita.com/shizuma/items/2b2f873a0034839e47ce
·I tried to make the command part in the code a full pass.
(I think it's the same thing because the code is placed in the directory where .git is located, but I found an article that says full path designation and made it full path.)

*Please note that the following sources may pose a security risk.

// Settings
$LOG_FILE=dirname(__FILE__).'/hook.log';
$SECRET_KEY=';

$header=getallheaders();
$hmac = hash_hmac('sha1', $HTTP_RAW_POST_DATA, $SECRET_KEY);
if(isset($header['X-Hub-Signature'])&$header['X-Hub-Signature']==='sha1='.$hmac){
    $payload=json_decode($HTTP_RAW_POST_DATA, true); // JSON data received
    // write the code you want to execute here
    exec('/Sakura server.git installation directory/git pull origin master'); // linux command execution
    file_put_contents($LOG_FILE, date("[Y-m-d H:i:s]").".".$_SERVER['REMOTE_ADDR']."git pulled: ".$payload['after']."."$payload['commits'][0]['message']."\n", FILE_APPEND|LOCK_EX); // Write to log file
} else{
    // authentication failure
    file_put_contents($LOG_FILE, date("[Y-m-d H:i:s]"). "invalid access: ".$_SERVER['REMOTE_ADDR']. "\n", FILE_APPEND | LOCK_EX);
}

·Are there any other points to check?
·Please let me know if there is any security risk.
·Currently, I have a non-bear repository on the production server and I have a private key in the .ssh directory, but which one is more risky, writing a password in the config file?Is it possible to reduce the risk by taking a completely different approach?