v1.6.0

✨ Features

External key store support for GitHub App JWTs

Added NewApplicationTokenSourceFromSigner which accepts any crypto.Signer with an RSA public key. Enables signing via AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit, PKCS#11 HSMs, or ssh-agent — the private key never touches process memory. Validates at construction that the signer's public key is *rsa.PublicKey (GitHub requires RS256).

signer, _ := kms.NewSigner(ctx, keyID) // any crypto.Signer backed by RSA
ts, err := githubauth.NewApplicationTokenSourceFromSigner(appID, signer)

Proactive token refresh with configurable skew

New ReuseTokenSourceWithSkew refreshes cached tokens when time.Until(exp) <= skew instead of waiting for expiry to pass. Closes the in-flight 401 window where a request starts shortly before expiry and reaches GitHub already expired.

NewApplicationTokenSource and NewInstallationTokenSource now wrap with DefaultExpirySkew (30s); tune via WithExpirySkew / WithInstallationExpirySkew. Zero/negative skew delegates to oauth2.ReuseTokenSource verbatim for backwards compatibility.

Automatic retry on installation token throttling

createInstallationToken now performs a single automatic retry when GitHub returns 429, or 403 with Retry-After / X-RateLimit-Reset headers. Sleep honors context cancellation and is capped at 60s. Terminal throttle errors wrap ErrRateLimited for errors.Is branching. Opt out via WithRetryOnThrottle(false).

New webhook subpackage

Added a webhook package for verifying GitHub webhook deliveries using constant-time HMAC-SHA256:

• Verify(secret, body, signature) with sentinel errors (ErrMissingSignature, ErrInvalidSignatureFormat, ErrSignatureMismatch) wrapped for errors.Is / errors.As.
• Middleware(secret, opts...) net/http middleware with body restoration, 25 MiB default cap, and 401/413 short-circuits.
• Functional options WithMaxPayloadSize and WithErrorHandler.
• Suitable for direct use in queue, Lambda, or Cloud Run consumers.

http.Handle("/webhook", webhook.Middleware(secret)(handler))

📦 Dependencies

• Bump golang.org/x/oauth2 from 0.34.0 → 0.36.0
• Bump codecov/codecov-action 5 → 6
• Bump styfle/cancel-workflow-action 0.13.0 → 0.13.1

⚠️ Breaking / Behavior Changes

• Minimum Go version is now 1.25 (transitively required by golang.org/x/oauth2 v0.36.0). README previously claimed 1.21; the actual floor is now enforced.
• Token sources refresh 30s before expiry by default. Set skew to 0 via WithExpirySkew(0) / WithInstallationExpirySkew(0) to restore prior behavior.

Full Changelog: v1.5.1...v1.6.0

v2.0.1

chore: add v2 module with retract directive

Retracts the accidentally published v2.0.0 so that tools like
Renovate and pkg.go.dev no longer suggest upgrading to it.

Closes #23

v1.5.1

What's Changed

• chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 by @dependabot[bot] in #34
• chore(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #33
• chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #35
• chore(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 by @dependabot[bot] in #36
• chore(deps): bump actions/cache from 4 to 5 by @dependabot[bot] in #37
• chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @dependabot[bot] in #39
• chore(deps): bump styfle/cancel-workflow-action from 0.12.1 to 0.13.0 by @dependabot[bot] in #38
• Fix regression in github enterprise url handling #40 by @luna-veil-8080 in #41

New Contributors

• @luna-veil-8080 made their first contribution in #41

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

• chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #31
• chore(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #30
• refactor!: remove go-github dependency and implement internal GitHub API client by @jferrl in #32

Full Changelog: v1.4.2...v1.5.0

v1.4.2

Full Changelog: v1.4.1...v1.4.2

v1.4.1

What's Changed

• chore: Use ReuseTokenSource in NewApplicationTokenSource by @jferrl in #22
• chore(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 by @dependabot[bot] in #25
• chore(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #26
• Potential fix for code scanning alert no. 1: Workflow does not contain permissions by @jferrl in #27
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #28
• chore: upgrade github.com/google/go-github to v74 by @krancour in #29

New Contributors

• @krancour made their first contribution in #29

Full Changelog: v1.4.0...v1.4.1

v1.4.0

What's Added

@jferrl in #21

• Personal Access Token Support: New NewPersonalAccessTokenSource function for classic and fine-grained personal access tokens
• Advanced Token Caching: Implemented dual-layer token caching system using oauth2.ReuseTokenSource
  • JWT tokens cached until expiration (up to 10 minutes)
  • Installation tokens cached until expiration (up to 1 hour)
• High-Performance HTTP Client: Custom cleanHTTPClient implementation with connection pooling
  • Based on HashiCorp's go-cleanhttp patterns for production reliability
  • HTTP/2 support with persistent connections
  • No shared global state to prevent race conditions

What's Changed

• Significant Performance Improvements: Up to 99% reduction in unnecessary token generation and GitHub API calls
• Enhanced Documentation: Added comprehensive examples for personal access token usage
• Optimized Memory Usage: Reduced object allocation through intelligent token reuse

Performance

• GitHub App JWTs: Cached and reused until expiration instead of regenerating on every API call
• Installation Tokens: Cached until expiration, dramatically reducing GitHub API rate limit consumption
• Connection Pooling: HTTP connections reused across requests for faster GitHub API interactions
• Production Ready: Optimized for high-throughput applications and CI/CD systems

Full Changelog: v1.3.0...v1.4.0

v1.3.0

What's Changed

• fix: use go version from go.mod in actions build by @grinish21 in #12
• feat: add dependabot to keep go version up to date #10 by @grinish21 in #13
• chore(deps): bump styfle/cancel-workflow-action from 0.10.0 to 0.12.1 by @dependabot[bot] in #15
• chore(deps): bump Go version and update dependencies by @jferrl in #16
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #18
• chore(deps): bump codecov/codecov-action from 4 to 5 by @dependabot[bot] in #19
• feat!: add Go generics support for unified App ID/Client ID authentication by @jferrl in #20

New Contributors

• @dependabot[bot] made their first contribution in #15

Full Changelog: v1.2.1...v1.3.0

v1.2.1

What's Changed

• fix(deps): move jwt to v5.3.0 which fixes vuln GO-2025-3553 by @grinish21 in #9

Full Changelog: v1.2.0...v1.2.1

v1.2.0

What's Changed

• chore: bump dependencies by @candiepih in #8

New Contributors

• @candiepih made their first contribution in #8

Full Changelog: v1.1.1...v1.2.0