V3 modernize infra (#1180)

* Modernize workflows

* Appease linter

* Fix Raw -> Export

* Fix smoke test go version

* Remove support for PEM encoding/decoding secp256k1 keys

* Add missing file

* Fix Bazel

.github/workflows/assign-issue.yml

@@ -8,6 +8,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Auto-assign issue'
-        uses: pozil/auto-assign-issue@v2
+        uses: pozil/auto-assign-issue@c5bca5027e680b9e8411b826d16947afd8c76b32 # v2.0.0
         with:
           assignees: lestrrat

.github/workflows/assign-pr.yml

@@ -7,6 +7,6 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/[email protected]
+      - uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0
         with:
           configuration-path: .github/auto-assign-pr.yml

.github/workflows/autodoc.yml

@@ -14,7 +14,7 @@ jobs:
     if: github.event.pull_request.merged == true
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Process markdown files
         run: |
           find . -name '*.md' | xargs perl tools/autodoc.pl

.github/workflows/ci.yml

@@ -11,13 +11,13 @@ jobs:
     strategy:
       matrix:
         go_tags: [ 'stdlib', 'goccy', 'es256k', 'secp256k1-pem', 'asmbase64', 'alltags']
-        go: [ '1.22', '1.21', '1.20' ]
+        go: [ '1.23', '1.22', '1.21' ]
     name: "Test [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ~/go/pkg/mod
@@ -27,20 +27,10 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Install Go stable version
-        if: matrix.go != 'tip'
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ matrix.go }}
           check-latest: true
-      - name: Install Go tip
-        if: matrix.go == 'tip'
-        run: |
-          git clone --depth=1 https://go.googlesource.com/go $HOME/gotip
-          cd $HOME/gotip/src
-          ./make.bash
-          echo "::set-env name=GOROOT::$HOME/gotip"
-          echo "::add-path::$HOME/gotip/bin"
-          echo "::add-path::$(go env GOPATH)/bin"
       - name: Install stringer
         run: go install golang.org/x/tools/cmd/stringer@latest
       - name: Install tparse
@@ -52,11 +42,6 @@ jobs:
         run: make tidy
       - name: Test with coverage
         run: make cover-${{ matrix.go_tags }}
-      - name: Upload code coverage to codecov
-        if: matrix.go == '1.19'
-        uses: codecov/codecov-action@v4
-        with:
-          file: ./coverage.out
       - uses: bazelbuild/setup-bazelisk@v3
       - run: bazel run //:gazelle-update-repos
       - name: Check difference between generation code and commit code

.github/workflows/codeql.yml

@@ -40,7 +40,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/dependabot.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install tparse
         run: go install github.com/mfridman/[email protected]
       - run: |

.github/workflows/lint.yml

@@ -5,14 +5,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.20"
-          check-latest: true
-      - uses: golangci/golangci-lint-action@v6
-        with:
-          version: v1.59
+          go-version-file: "go.mod"
+      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
       - name: Run go vet
         run: |
           go vet ./...

.github/workflows/smoke.yml

@@ -14,16 +14,16 @@ jobs:
     strategy:
       matrix:
         go_tags: [ 'stdlib', 'goccy', 'es256k', 'alltags' ]
-        go: [ '1.22', '1.21', '1.20' ]
+        go: [ '1.22', '1.21' ]
     name: "Smoke [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Check documentation generator
         run: |
           find . -name '*.md' | xargs env AUTODOC_DRYRUN=1 perl tools/autodoc.pl
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.20
         with:
           path: |
             ~/go/pkg/mod
@@ -33,7 +33,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Install Go stable version
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ matrix.go }}
           check-latest: true
@@ -50,6 +50,6 @@ jobs:
         run: make tidy
       - name: Run smoke tests
         run: make smoke-${{ matrix.go_tags }}
-      - uses: bazelbuild/setup-bazelisk@v3
+      - uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0
       - run: bazel build //...
 

.github/workflows/stale.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
           stale-pr-message: 'This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 14 days.'

.golangci.yml

@@ -60,6 +60,9 @@ issues:
       text: "don't use an underscore in package name"
       linters:
         - revive
+    - linters:
+        - staticcheck
+      text: 'SA1019'
     - path: /*.go
       linters:
         - contextcheck

Changes-v3.md

@@ -28,6 +28,10 @@ These are changes that are incompatible with the v2.x.x version.
 
 ## JWK
 
+* Experimental secp256k1 encoding/decoding for PEM encoded ASN.1 DER Format 
+  has been removed. Instead, `jwk.PEMDecoder` and `jwk.PEMEncoder` have been
+  added to support those who want to perform non-standard PEM encoding/decoding
+
 * Iterators have been completely removed.
 
 * `jwk/x25519` has been removed. To use X25519 keys, use `(crypto/ecdh).PrivateKey` and
@@ -53,4 +57,4 @@ These are changes that are incompatible with the v2.x.x version.
   has been upgraded, and thus we no longer have a pool of workers that need to be controlled.
 
 * `jwk.Fetcher` has been clearly marked as something that has limited
-  usage for `jws.WithVerifyAuto`
+  usage for `jws.WithVerifyAuto`

jwe/jwe_test.go

@@ -318,12 +318,12 @@ func TestRoundtrip_RSAES_OAEP_AES_GCM(t *testing.T) {
 		110, 97, 116, 105, 111, 110, 46,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.RSA_OAEP, &rsaPrivKey.PublicKey))
 		if !assert.NoError(t, err, "Encrypt should succeed") {
 			return
@@ -346,12 +346,12 @@ func TestRoundtrip_RSA1_5_A128CBC_HS256(t *testing.T) {
 		112, 114, 111, 115, 112, 101, 114, 46,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.RSA1_5, &rsaPrivKey.PublicKey), jwe.WithContentEncryption(jwa.A128CBC_HS256))
 		if !assert.NoError(t, err, "Encrypt is successful") {
 			return
@@ -379,12 +379,12 @@ func TestEncode_A128KW_A128CBC_HS256(t *testing.T) {
 		25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 74, 82,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.A128KW, sharedkey), jwe.WithContentEncryption(jwa.A128CBC_HS256))
 		if !assert.NoError(t, err, "Encrypt is successful") {
 			return

jwk/BUILD.bazel

@@ -25,6 +25,7 @@ go_library(
         "symmetric_gen.go",
         "usage.go",
         "whitelist.go",
+        "x509.go",
     ],
     importpath = "github.com/lestrrat-go/jwx/v3/jwk",
     visibility = ["//visibility:public"],
@@ -35,8 +36,6 @@ go_library(
         "//internal/json",
         "//internal/pool",
         "//jwa",
-        "//x25519",
-    	"//jwk/internal/x509",
         "//jwk/ecdsa",
         "@com_github_lestrrat_go_blackmagic//:blackmagic",
         "@com_github_lestrrat_go_httprc_v2//:httprc",
@@ -66,8 +65,6 @@ go_test(
         "//jwa",
         "//jwk/ecdsa",
         "//jws",
-        "//x25519",
-        "//jwk/internal/x509",
         "@com_github_stretchr_testify//assert",
         "@com_github_stretchr_testify//require",
     ],