chore: bump golang.org/x/oauth2 to v0.27.0

[theakshaypant]

📝 Description of the Change

Update golang.org/x/oauth2 dependency to v0.27.0, which removes deprecated App Engine support and the google.golang.org/appengine dependency.
Fix GitLab provider test mocks to URL-encode file paths, matching the go-gitlab library behavior exposed by the oauth2 update.

CVE fix for GHSA-6v2p-p543-phr9

Also pushed the the changes with --no-verify since the number of linting issue in this version are HUMONGOUS and take too long to fix all of them.

871 issues:
* errcheck: 143
* forcetypeassert: 5
* gocritic: 2
* gosec: 57
* prealloc: 11
* revive: 653
make: *** [Makefile:144: fix-golangci-lint] Error 1

Have run the unit tests locally and they all pass. Skipped the linters hook 👀

👨🏻‍ Linked Jira

N/A

🔗 Linked GitHub Issue

Fixes #

🚀 Type of Change

• 🐛 Bug fix (fix:)
• ✨ New feature (feat:)
• 💥 Breaking change (feat!:, fix!:)
• 📚 Documentation update (docs:)
• ⚙️ Chore (chore:)
• 💅 Refactor (refactor:)
• 🔧 Enhancement (enhance:)
• 📦 Dependency update (deps:)

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Summary of Changes

Hello @theakshaypant, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a significant dependency upgrade for golang.org/x/oauth2, which not only updates to the latest version but also removes legacy App Engine integrations. This change improves security by addressing a known CVE and ensures continued compatibility with external services like GitLab by adjusting test mocks to reflect updated library behaviors. The underlying Go language version has also been advanced to support these updates.

Highlights

• Dependency Update: The golang.org/x/oauth2 dependency has been updated to version v0.27.0, bringing in the latest features and security fixes, including a CVE fix (GHSA-6v2p-p543-phr9).
• App Engine Deprecation Removal: Deprecated App Engine support and the google.golang.org/appengine dependency have been entirely removed, streamlining the codebase and removing outdated integrations.
• Go Version Bump: The project's Go language version has been updated from 1.21 to 1.23.0 in go.mod.
• GitLab Provider Test Fix: GitLab provider test mocks were adjusted to correctly URL-encode file paths, ensuring compatibility with the updated go-gitlab library behavior exposed by the oauth2 dependency bump.

Changelog

• go.mod
  • Updated Go language version from 1.21 to 1.23.0.
  • Updated golang.org/x/oauth2 dependency from v0.18.0 to v0.27.0.
  • Removed google.golang.org/appengine dependency.
• go.sum
  • Updated checksums for golang.org/x/oauth2.
  • Removed checksum entries related to google.golang.org/appengine.
• pkg/provider/gitlab/test/test.go
  • Imported the net/url package.
  • Added URL-encoding for file paths in the MuxGetFile function to align with go-gitlab library behavior.
• vendor/golang.org/x/oauth2/LICENSE
  • Updated the copyright year and changed the copyright holder from 'The Go Authors' to 'Google LLC'.
• vendor/golang.org/x/oauth2/README.md
  • Removed outdated installation instructions.
  • Updated the contribution guide link.
• vendor/golang.org/x/oauth2/clientcredentials/clientcredentials.go
  • Updated the comment for the Scopes field to clarify its purpose.
• vendor/golang.org/x/oauth2/internal/client_appengine.go
  • Removed the file, eliminating App Engine client hook functionality.
• vendor/golang.org/x/oauth2/internal/transport.go
  • Removed the appengineClientHook variable and its associated logic.
• vendor/golang.org/x/oauth2/oauth2.go
  • Updated the comment for the Scopes field.
  • Renamed the comment for ReuseTokenSource to ReuseTokenSourceWithExpiry.
• vendor/golang.org/x/oauth2/pkce.go
  • Updated comments to refer to Config.DeviceAuth instead of Config.DeviceAccess.
• vendor/golang.org/x/oauth2/token.go
  • Added a new ExpiresIn field to the Token struct.
• vendor/google.golang.org/appengine/LICENSE
  • Removed the file.
• vendor/google.golang.org/appengine/internal/api.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/api_classic.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/api_common.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/app_id.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/base/api_base.pb.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/base/api_base.proto
  • Removed the file.
• vendor/google.golang.org/appengine/internal/datastore/datastore_v3.proto
  • Removed the file.
• vendor/google.golang.org/appengine/internal/identity.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/identity_classic.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/identity_flex.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/identity_vm.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/internal.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/log/log_service.pb.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/log/log_service.proto
  • Removed the file.
• vendor/google.golang.org/appengine/internal/main.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/main_common.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/main_vm.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/metadata.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/net.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/regen.sh
  • Removed the file.
• vendor/google.golang.org/appengine/internal/remote_api/remote_api.pb.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/remote_api/remote_api.proto
  • Removed the file.
• vendor/google.golang.org/appengine/internal/transaction.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.pb.go
  • Removed the file.
• vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto
  • Removed the file.
• vendor/google.golang.org/appengine/urlfetch/urlfetch.go
  • Removed the file.
• vendor/modules.txt
  • Updated the explicit version comment for golang.org/x/oauth2.
  • Removed explicit version comments and entries for google.golang.org/appengine and its sub-packages.

Activity

• The author, theakshaypant, initiated this pull request to update a core dependency.
• The author noted that linting checks were skipped during the push due to a high volume of existing issues, indicating a focus on the dependency update itself.
• Unit tests were confirmed to pass locally by the author.
• AI assistance from Claude was utilized for generating unit tests related to these changes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the golang.org/x/oauth2 dependency to v0.27.0, removes the deprecated google.golang.org/appengine dependency, and updates the Go module version to 1.23.0. These changes address a security vulnerability (GHSA-6v2p-p543-phr9) and a path traversal vulnerability in a GitLab test utility function, which is fixed by correctly URL-encoding the filename. The updates enhance the overall security of the codebase and are well-contained.

[gemini-code-assist]

This change correctly addresses a potential path traversal vulnerability. The previous implementation did not sanitize the fname parameter before using it to construct a URL path for the mock server, which could allow a malicious filename (e.g., ../../etc/passwd) to traverse the directory structure. By using url.PathEscape, the filename is now properly sanitized, preventing this vulnerability. This is an excellent security improvement.

[theakshaypant]

Closing this for now.