Skip to content

Releases: jferrl/go-githubauth

v1.7.0

Choose a tag to compare

@jferrl jferrl released this 30 Jun 14:54
3d8cba2

[v1.7.0] - 2026-06-30

GitHub Enterprise Cloud (GHEC) support and a more foolproof installation-token configuration.

Added

  • Custom Base URL: New WithBaseURL option sets the API base URL verbatim (only normalizing a trailing slash), mirroring how go-github targets a custom endpoint. Unlike WithEnterpriseURL, it does not append /api/v3/, enabling GitHub Enterprise Cloud with data residency (https://api.SUBDOMAIN.ghe.com/) and pointing the client at an httptest server in tests (#50)

Changed

  • Order-independent options: WithBaseURL, WithEnterpriseURL, WithHTTPClient, and WithRetryOnThrottle can now be combined in any order. Previously WithHTTPClient rebuilt the client and silently discarded a base URL or retry setting applied before it
  • Fail-loud configuration: An invalid base URL (or a nil HTTP client) is now reported by the first call to Token() instead of silently falling back to the public GitHub API

Fixed

  • HTTP client no longer mutated: WithHTTPClient operates on a shallow copy, so the caller's *http.Client (which may be shared elsewhere) keeps its original transport
  • No panic on nil client: passing nil to WithHTTPClient now yields a clear error instead of panicking

Maintenance

  • Removed the deprecated, no-op net.Dialer.DualStack field from the pooled HTTP client
  • Renamed the unexported githubClient.client field to httpClient for clarity

Tests

  • Added coverage for WithBaseURL (GHEC and httptest URLs), option order-independence, fail-loud misconfiguration, and verification that the caller's HTTP client is not mutated

Dependencies

  • Bumped actions/cache from 5 to 6 (#49)
  • Bumped actions/checkout from 6 to 7 (#48)
  • Bumped codecov/codecov-action from 6 to 7 (#46)

Full Changelog: v1.6.0...v1.7.0

v1.6.0

Choose a tag to compare

@jferrl jferrl released this 20 Apr 10:33

✨ Features

External key store support for GitHub App JWTs

Added NewApplicationTokenSourceFromSigner which accepts any crypto.Signer with an RSA public key. Enables signing via AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit, PKCS#11 HSMs, or ssh-agent — the private key never touches process memory. Validates at construction that the signer's public key is *rsa.PublicKey (GitHub requires RS256).

signer, _ := kms.NewSigner(ctx, keyID) // any crypto.Signer backed by RSA
ts, err := githubauth.NewApplicationTokenSourceFromSigner(appID, signer)

Proactive token refresh with configurable skew

New ReuseTokenSourceWithSkew refreshes cached tokens when time.Until(exp) <= skew instead of waiting for expiry to pass. Closes the in-flight 401 window where a request starts shortly before expiry and reaches GitHub already expired.

NewApplicationTokenSource and NewInstallationTokenSource now wrap with DefaultExpirySkew (30s); tune via WithExpirySkew / WithInstallationExpirySkew. Zero/negative skew delegates to oauth2.ReuseTokenSource verbatim for backwards compatibility.

Automatic retry on installation token throttling

createInstallationToken now performs a single automatic retry when GitHub returns 429, or 403 with Retry-After / X-RateLimit-Reset headers. Sleep honors context cancellation and is capped at 60s. Terminal throttle errors wrap ErrRateLimited for errors.Is branching. Opt out via WithRetryOnThrottle(false).

New webhook subpackage

Added a webhook package for verifying GitHub webhook deliveries using constant-time HMAC-SHA256:

  • Verify(secret, body, signature) with sentinel errors (ErrMissingSignature, ErrInvalidSignatureFormat, ErrSignatureMismatch) wrapped for errors.Is / errors.As.
  • Middleware(secret, opts...) net/http middleware with body restoration, 25 MiB default cap, and 401/413 short-circuits.
  • Functional options WithMaxPayloadSize and WithErrorHandler.
  • Suitable for direct use in queue, Lambda, or Cloud Run consumers.
http.Handle("/webhook", webhook.Middleware(secret)(handler))

📦 Dependencies

  • Bump golang.org/x/oauth2 from 0.34.0 → 0.36.0
  • Bump codecov/codecov-action 5 → 6
  • Bump styfle/cancel-workflow-action 0.13.0 → 0.13.1

⚠️ Breaking / Behavior Changes

  • Minimum Go version is now 1.25 (transitively required by golang.org/x/oauth2 v0.36.0). README previously claimed 1.21; the actual floor is now enforced.
  • Token sources refresh 30s before expiry by default. Set skew to 0 via WithExpirySkew(0) / WithInstallationExpirySkew(0) to restore prior behavior.

Full Changelog: v1.5.1...v1.6.0

v2.0.1

Choose a tag to compare

@jferrl jferrl released this 10 Apr 10:59
chore: add v2 module with retract directive

Retracts the accidentally published v2.0.0 so that tools like
Renovate and pkg.go.dev no longer suggest upgrading to it.

Closes #23

v1.5.1

Choose a tag to compare

@jferrl jferrl released this 09 Feb 09:56

What's Changed

  • chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 by @dependabot[bot] in #34
  • chore(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #33
  • chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #35
  • chore(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 by @dependabot[bot] in #36
  • chore(deps): bump actions/cache from 4 to 5 by @dependabot[bot] in #37
  • chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @dependabot[bot] in #39
  • chore(deps): bump styfle/cancel-workflow-action from 0.12.1 to 0.13.0 by @dependabot[bot] in #38
  • Fix regression in github enterprise url handling #40 by @luna-veil-8080 in #41

New Contributors

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Choose a tag to compare

@jferrl jferrl released this 28 Oct 11:29
c395bf5

What's Changed

  • chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #31
  • chore(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #30
  • refactor!: remove go-github dependency and implement internal GitHub API client by @jferrl in #32

Full Changelog: v1.4.2...v1.5.0

v1.4.2

Choose a tag to compare

@jferrl jferrl released this 19 Sep 07:11

Full Changelog: v1.4.1...v1.4.2

v1.4.1

Choose a tag to compare

@jferrl jferrl released this 19 Sep 06:27

What's Changed

  • chore: Use ReuseTokenSource in NewApplicationTokenSource by @jferrl in #22
  • chore(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 by @dependabot[bot] in #25
  • chore(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #26
  • Potential fix for code scanning alert no. 1: Workflow does not contain permissions by @jferrl in #27
  • chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #28
  • chore: upgrade github.com/google/go-github to v74 by @krancour in #29

New Contributors

Full Changelog: v1.4.0...v1.4.1

v1.4.0

Choose a tag to compare

@jferrl jferrl released this 30 Aug 10:51
732f060

What's Added

@jferrl in #21

  • Personal Access Token Support: New NewPersonalAccessTokenSource function for classic and fine-grained personal access tokens
  • Advanced Token Caching: Implemented dual-layer token caching system using oauth2.ReuseTokenSource
    • JWT tokens cached until expiration (up to 10 minutes)
    • Installation tokens cached until expiration (up to 1 hour)
  • High-Performance HTTP Client: Custom cleanHTTPClient implementation with connection pooling
    • Based on HashiCorp's go-cleanhttp patterns for production reliability
    • HTTP/2 support with persistent connections
    • No shared global state to prevent race conditions

What's Changed

  • Significant Performance Improvements: Up to 99% reduction in unnecessary token generation and GitHub API calls
  • Enhanced Documentation: Added comprehensive examples for personal access token usage
  • Optimized Memory Usage: Reduced object allocation through intelligent token reuse

Performance

  • GitHub App JWTs: Cached and reused until expiration instead of regenerating on every API call
  • Installation Tokens: Cached until expiration, dramatically reducing GitHub API rate limit consumption
  • Connection Pooling: HTTP connections reused across requests for faster GitHub API interactions
  • Production Ready: Optimized for high-throughput applications and CI/CD systems

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Choose a tag to compare

@jferrl jferrl released this 17 Aug 11:53

What's Changed

  • fix: use go version from go.mod in actions build by @grinish21 in #12
  • feat: add dependabot to keep go version up to date #10 by @grinish21 in #13
  • chore(deps): bump styfle/cancel-workflow-action from 0.10.0 to 0.12.1 by @dependabot[bot] in #15
  • chore(deps): bump Go version and update dependencies by @jferrl in #16
  • chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #18
  • chore(deps): bump codecov/codecov-action from 4 to 5 by @dependabot[bot] in #19
  • feat!: add Go generics support for unified App ID/Client ID authentication by @jferrl in #20

New Contributors

Full Changelog: v1.2.1...v1.3.0

v1.2.1

Choose a tag to compare

@jferrl jferrl released this 08 Aug 06:58
2e80df8

What's Changed

  • fix(deps): move jwt to v5.3.0 which fixes vuln GO-2025-3553 by @grinish21 in #9

Full Changelog: v1.2.0...v1.2.1