Update v2 (#894)

* Update deps * Protect jws.Verify() and jwe.Encrypt() from panic on go1.19+ (#841) * Protect jws.Verify() from panic on go1.19+ * Same problem, but in jwe * Update Changes * fix example (#843) I have a feeling we inadvertently reverted some commit * Action updates, doc tweaks (#844) * Use tparse (#845) * Use tparse * s/all/alltags/ * fix typo (#846) * fix typo (#847) * Bump kentaro-m/auto-assign-action from 1.2.0 to 1.2.4 (#848) Bumps [kentaro-m/auto-assign-action](https://github.com/kentaro-m/auto-assign-action) from 1.2.0 to 1.2.4. - [Release notes](https://github.com/kentaro-m/auto-assign-action/releases) - [Commits](kentaro-m/auto-assign-action@v1.2.0...v1.2.4) --- updated-dependencies: - dependency-name: kentaro-m/auto-assign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump codecov/codecov-action from 1 to 3 (#849) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 1 to 3. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v1...v3) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Work with invalid JWT buffers better (#851) * Work with invalid JWT buffers better * spelling * Update Changes * typo * Tweak Changes * Update Changes * Bump github.com/goccy/go-json from 0.9.11 to 0.10.0 (#855) Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.9.11 to 0.10.0. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.9.11...v0.10.0) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/lestrrat-go/option from 1.0.0 to 1.0.1 (#858) Bumps [github.com/lestrrat-go/option](https://github.com/lestrrat-go/option) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/lestrrat-go/option/releases) - [Commits](lestrrat-go/option@v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/option dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/stale from 6 to 7 (#859) Bumps [actions/stale](https://github.com/actions/stale) from 6 to 7. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@v6...v7) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Tweak v2 tests (#863) * Port changes from #862 * Actually report errors * fix expected result * Unbeknownst to me, benchstat seems to have changed * Update Contribution Guidelines * Fix generated header file comments (#867) The generated file header should match regexp: ^// Code generated .* DO NOT EDIT\.$ See https://golang.org/s/generatedcode. * Remove unused variables in ReadFile (#866) * Bump kentaro-m/auto-assign-action from 1.2.4 to 1.2.5 (#868) Bumps [kentaro-m/auto-assign-action](https://github.com/kentaro-m/auto-assign-action) from 1.2.4 to 1.2.5. - [Release notes](https://github.com/kentaro-m/auto-assign-action/releases) - [Commits](kentaro-m/auto-assign-action@v1.2.4...v1.2.5) --- updated-dependencies: - dependency-name: kentaro-m/auto-assign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update tool deps (#869) * Try updating tools for genjwt * Update genjws * Update genjwe * Update genjwk * Update genjwa * Update genjwk * Updage genoptions * Update genreadfile * Fix PEM armor for EC private keys when encoding (#876) * Incorporate #875 * Test PEM roundtrip for other key types * Use more constants * Bump golang.org/x/crypto from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0 (#871) * Bump golang.org/x/crypto from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.6.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * run appropriate `go get` and `go mod tidy` all over --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#873) * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * run appropriate `go get` and `go mod tidy` all over --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Update Changes * Create codeql.yml * Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#877) * Bump golang.org/x/crypto from 0.6.0 to 0.7.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * run go get and make tidy --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Add bazel support (#880) * Attempt to enable bazel * enable bazel building in smoke tests too * tweak order * Add explicit imports * Add deps.bzl * remove unused file reference * Add missing BUILD file * Add missing BUILD file * add missing BUILD.bazel files * add .bazelversion * Add aspect presets * Update Changes/README * Create an auto-merge action for dependabot (#884) * Create an auto-merge action for dependabot * approve and merge * indent * Bump github.com/goccy/go-json from 0.10.0 to 0.10.1 (#882) * Bump github.com/goccy/go-json from 0.10.0 to 0.10.1 Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.10.0 to 0.10.1. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.10.0...v0.10.1) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Run make tidy + bazel gazelle-update-repos --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Fix jwk cache docs (#885) * Fix example comment * Upon re-reading, this sentence does not need to exist * autodoc updates (#886) Co-authored-by: lestrrat <lestrrat@users.noreply.github.com> * Bump actions/setup-go from 3 to 4 (#887) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Allow "none" algorithm when signing with explicit option (#890) * Add test case for #888 * Catch the use of "none" when used in conjunction with jws.WithKey * first pass implementing (jwt/jws).Sign that allows alg="none" * regenerate jwt options * appease linter * Check for jws.Sign/Verify * OK to _sign_ using `none`, but no verification * Tweak Changes * typo (#893) * Bump github.com/goccy/go-json from 0.10.1 to 0.10.2 (#892) * Bump github.com/goccy/go-json from 0.10.1 to 0.10.2 Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.10.1 to 0.10.2. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.10.1...v0.10.2) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Run make tidy + bazel --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Update Changes * Bump github.com/goccy/go-json from 0.9.11 to 0.10.0 (#855) Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.9.11 to 0.10.0. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.9.11...v0.10.0) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/lestrrat-go/option from 1.0.0 to 1.0.1 (#858) Bumps [github.com/lestrrat-go/option](https://github.com/lestrrat-go/option) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/lestrrat-go/option/releases) - [Commits](lestrrat-go/option@v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/option dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/stale from 6 to 7 (#859) Bumps [actions/stale](https://github.com/actions/stale) from 6 to 7. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@v6...v7) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Tweak v2 tests (#863) * Port changes from #862 * Actually report errors * fix expected result * Unbeknownst to me, benchstat seems to have changed * Update Contribution Guidelines * Fix generated header file comments (#867) The generated file header should match regexp: ^// Code generated .* DO NOT EDIT\.$ See https://golang.org/s/generatedcode. * Remove unused variables in ReadFile (#866) * Bump kentaro-m/auto-assign-action from 1.2.4 to 1.2.5 (#868) Bumps [kentaro-m/auto-assign-action](https://github.com/kentaro-m/auto-assign-action) from 1.2.4 to 1.2.5. - [Release notes](https://github.com/kentaro-m/auto-assign-action/releases) - [Commits](kentaro-m/auto-assign-action@v1.2.4...v1.2.5) --- updated-dependencies: - dependency-name: kentaro-m/auto-assign-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update tool deps (#869) * Try updating tools for genjwt * Update genjws * Update genjwe * Update genjwk * Update genjwa * Update genjwk * Updage genoptions * Update genreadfile * Fix PEM armor for EC private keys when encoding (#876) * Incorporate #875 * Test PEM roundtrip for other key types * Use more constants * Bump golang.org/x/crypto from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0 (#871) * Bump golang.org/x/crypto from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20220427172511-eb4f295cb31f to 0.6.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.6.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * run appropriate `go get` and `go mod tidy` all over --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#873) * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * run appropriate `go get` and `go mod tidy` all over --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Update Changes * Create codeql.yml * Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#877) * Bump golang.org/x/crypto from 0.6.0 to 0.7.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * run go get and make tidy --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Add bazel support (#880) * Attempt to enable bazel * enable bazel building in smoke tests too * tweak order * Add explicit imports * Add deps.bzl * remove unused file reference * Add missing BUILD file * Add missing BUILD file * add missing BUILD.bazel files * add .bazelversion * Add aspect presets * Update Changes/README * Create an auto-merge action for dependabot (#884) * Create an auto-merge action for dependabot * approve and merge * indent * Bump github.com/goccy/go-json from 0.10.0 to 0.10.1 (#882) * Bump github.com/goccy/go-json from 0.10.0 to 0.10.1 Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.10.0 to 0.10.1. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.10.0...v0.10.1) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Run make tidy + bazel gazelle-update-repos --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Fix jwk cache docs (#885) * Fix example comment * Upon re-reading, this sentence does not need to exist * autodoc updates (#886) Co-authored-by: lestrrat <lestrrat@users.noreply.github.com> * Bump actions/setup-go from 3 to 4 (#887) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Allow "none" algorithm when signing with explicit option (#890) * Add test case for #888 * Catch the use of "none" when used in conjunction with jws.WithKey * first pass implementing (jwt/jws).Sign that allows alg="none" * regenerate jwt options * appease linter * Check for jws.Sign/Verify * OK to _sign_ using `none`, but no verification * Tweak Changes * typo (#893) * Bump github.com/goccy/go-json from 0.10.1 to 0.10.2 (#892) * Bump github.com/goccy/go-json from 0.10.1 to 0.10.2 Bumps [github.com/goccy/go-json](https://github.com/goccy/go-json) from 0.10.1 to 0.10.2. - [Release notes](https://github.com/goccy/go-json/releases) - [Changelog](https://github.com/goccy/go-json/blob/master/CHANGELOG.md) - [Commits](goccy/go-json@v0.10.1...v0.10.2) --- updated-dependencies: - dependency-name: github.com/goccy/go-json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Run make tidy + bazel --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daisuke Maki <lestrrat+github@gmail.com> * Update Changes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com> Co-authored-by: Mitsuo Heijo <25817501+johejo@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lestrrat <lestrrat@users.noreply.github.com>
lestrrat-go · Mar 21, 2023 · fccc524 · fccc524
1 parent 7803b82
commit fccc524
Show file tree

Hide file tree

Showing 131 changed files with 2,532 additions and 366 deletions.
diff --git a/.aspect/bazelrc/BUILD.bazel b/.aspect/bazelrc/BUILD.bazel
@@ -0,0 +1,3 @@
+load("@aspect_bazel_lib//lib:bazelrc_presets.bzl", "write_aspect_bazelrc_presets")
+
+write_aspect_bazelrc_presets(name = "update_aspect_bazelrc_presets")
diff --git a/.aspect/bazelrc/bazel5.bazelrc b/.aspect/bazelrc/bazel5.bazelrc
@@ -0,0 +1,5 @@
+# Performance improvement for WORKSPACE evaluation
+# of slow rulesets, for example rules_k8s has been
+# observed to take 10 seconds without this flag.
+# See https://github.com/bazelbuild/bazel/issues/13907
+common --incompatible_existing_rules_immutable_view
diff --git a/.aspect/bazelrc/bazel6.bazelrc b/.aspect/bazelrc/bazel6.bazelrc
@@ -0,0 +1,15 @@
+# Speed up all builds by not checking if external repository files have been modified.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/bazel/repository/RepositoryOptions.java#L244
+build --noexperimental_check_external_repository_files
+fetch --noexperimental_check_external_repository_files
+query --noexperimental_check_external_repository_files
+
+# Directories used by sandboxed non-worker execution may be reused to avoid unnecessary setup costs.
+# Save time on Sandbox creation and deletion when many of the same kind of action run during the
+# build.
+# Docs: https://bazel.build/reference/command-line-reference#flag--reuse_sandbox_directories
+build --reuse_sandbox_directories
+
+# Avoid this flag being enabled by remote_download_minimal or remote_download_toplevel
+# See https://meroton.com/blog/bazel-6-errors-build-without-the-bytes/
+build --noexperimental_action_cache_store_output_metadata
diff --git a/.aspect/bazelrc/ci.bazelrc b/.aspect/bazelrc/ci.bazelrc
@@ -0,0 +1,71 @@
+# We recommend enforcing a policy that keeps your CI from being slowed down
+# by individual test targets that should be optimized
+# or split up into multiple test targets with sharding or manually.
+# Set this flag to exclude targets that have their timeout set to eternal (>15m) from running on CI.
+# Docs: https://bazel.build/docs/user-manual#test-timeout-filters
+build --test_timeout_filters=-eternal
+
+# Set this flag to enable re-tries of failed tests on CI.
+# When any test target fails, try one or more times. This applies regardless of whether the "flaky"
+# tag appears on the target definition.
+# This is a tradeoff: legitimately failing tests will take longer to report,
+# but we can paper over flaky tests that pass most of the time.
+# The alternative is to mark every flaky test with the `flaky = True` attribute, but this requires
+# the buildcop to make frequent code edits.
+# Not recommended for local builds so that the flakiness is observed during development and thus
+# is more likely to get fixed.
+# Note that when passing after the first attempt, Bazel will give a special "FLAKY" status.
+# Docs: https://bazel.build/docs/user-manual#flaky-test-attempts
+build --flaky_test_attempts=2
+
+# Announce all announces command options read from the bazelrc file(s) when starting up at the
+# beginning of each Bazel invocation. This is very useful on CI to be able to inspect what Bazel rc
+# settings are being applied on each run.
+# Docs: https://bazel.build/docs/user-manual#announce-rc
+build --announce_rc
+
+# Add a timestamp to each message generated by Bazel specifying the time at which the message was
+# displayed.
+# Docs: https://bazel.build/docs/user-manual#show-timestamps
+build --show_timestamps
+
+# Only show progress every 5 seconds on CI.
+# https://bazel.build/reference/command-line-reference#flag--show_progress_rate_limit
+build --show_progress_rate_limit=5
+
+# Use cursor controls in screen output.
+# Docs: https://bazel.build/docs/user-manual#curses
+build --curses=yes
+
+# Use colors to highlight output on the screen. Set to `no` if your CI does not display colors.
+# Docs: https://bazel.build/docs/user-manual#color
+build --color=yes
+
+# The terminal width in columns. Configure this to override the default value based on what your CI system renders.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/runtime/UiOptions.java#L151
+build --terminal_columns=143
+
+######################################
+# Generic remote cache configuration #
+######################################
+
+# Only download remote outputs of top level targets to the local machine.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_download_toplevel
+build --remote_download_toplevel
+
+# The maximum amount of time to wait for remote execution and cache calls.
+# https://bazel.build/reference/command-line-reference#flag--remote_timeout
+build --remote_timeout=3600
+
+# Upload locally executed action results to the remote cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_upload_local_results
+build --remote_upload_local_results
+
+# Fall back to standalone local execution strategy if remote execution fails. If the grpc remote
+# cache connection fails, it will fail the build, add this so it falls back to the local cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_local_fallback
+build --remote_local_fallback
+
+# Fixes builds hanging on CI that get the TCP connection closed without sending RST packets.
+# Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
+build --grpc_keepalive_time=30s
diff --git a/.aspect/bazelrc/convenience.bazelrc b/.aspect/bazelrc/convenience.bazelrc
@@ -0,0 +1,29 @@
+# Attempt to build & test every target whose prerequisites were successfully built.
+# Docs: https://bazel.build/docs/user-manual#keep-going
+build --keep_going
+test  --keep_going
+
+# Output test errors to stderr so users don't have to `cat` or open test failure log files when test
+# fail. This makes the log noiser in exchange for reducing the time-to-feedback on test failures for
+# users.
+# Docs: https://bazel.build/docs/user-manual#test-output
+test --test_output=errors
+
+# Show the output files created by builds that requested more than one target. This helps users
+# locate the build outputs in more cases
+# Docs: https://bazel.build/docs/user-manual#show-result
+build --show_result=20
+
+# Bazel picks up host-OS-specific config lines from bazelrc files. For example, if the host OS is
+# Linux and you run bazel build, Bazel picks up lines starting with build:linux. Supported OS
+# identifiers are `linux`, `macos`, `windows`, `freebsd`, and `openbsd`. Enabling this flag is
+# equivalent to using `--config=linux` on Linux, `--config=windows` on Windows, etc.
+# Docs: https://bazel.build/reference/command-line-reference#flag--enable_platform_specific_config
+common --enable_platform_specific_config
+
+# Output a heap dump if an OOM is thrown during a Bazel invocation
+# (including OOMs due to `--experimental_oom_more_eagerly_threshold`).
+# The dump will be written to `<output_base>/<invocation_id>.heapdump.hprof`.
+# You may need to configure CI to capture this artifact and upload for later use.
+# Docs: https://bazel.build/reference/command-line-reference#flag--heap_dump_on_oom
+build --heap_dump_on_oom
diff --git a/.aspect/bazelrc/correctness.bazelrc b/.aspect/bazelrc/correctness.bazelrc
@@ -0,0 +1,63 @@
+# Do not upload locally executed action results to the remote cache.
+# This should be the default for local builds so local builds cannot poison the remote cache.
+# It should be flipped to `--remote_upload_local_results` on CI
+# by using `--bazelrc=.aspect/bazelrc/ci.bazelrc`.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_upload_local_results
+build --noremote_upload_local_results
+
+# Don't allow network access for build actions in the sandbox.
+# Ensures that you don't accidentally make non-hermetic actions/tests which depend on remote
+# services.
+# Developers should tag targets with `tags=["requires-network"]` to opt-out of the enforcement.
+# Docs: https://bazel.build/reference/command-line-reference#flag--sandbox_default_allow_network
+build --sandbox_default_allow_network=false
+test --sandbox_default_allow_network=false
+
+# Warn if a test's timeout is significantly longer than the test's actual execution time.
+# Bazel's default for test_timeout is medium (5 min), but most tests should instead be short (1 min).
+# While a test's timeout should be set such that it is not flaky, a test that has a highly
+# over-generous timeout can hide real problems that crop up unexpectedly.
+# For instance, a test that normally executes in a minute or two should not have a timeout of
+# ETERNAL or LONG as these are much, much too generous.
+# Docs: https://bazel.build/docs/user-manual#test-verbose-timeout-warnings
+test --test_verbose_timeout_warnings
+
+# Allow the Bazel server to check directory sources for changes. Ensures that the Bazel server
+# notices when a directory changes, if you have a directory listed in the srcs of some target.
+# Recommended when using
+# [copy_directory](https://github.com/aspect-build/bazel-lib/blob/main/docs/copy_directory.md) and
+# [rules_js](https://github.com/aspect-build/rules_js) since npm package are source directories
+# inputs to copy_directory actions.
+# Docs: https://bazel.build/reference/command-line-reference#flag--host_jvm_args
+startup --host_jvm_args=-DBAZEL_TRACK_SOURCE_DIRECTORIES=1
+
+# Allow exclusive tests to run in the sandbox. Fixes a bug where Bazel doesn't enable sandboxing for
+# tests with `tags=["exclusive"]`.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_exclusive_test_sandboxed
+test --incompatible_exclusive_test_sandboxed
+
+# Use a static value for `PATH` and does not inherit `LD_LIBRARY_PATH`. Doesn't let environment
+# variables like `PATH` sneak into the build, which can cause massive cache misses when they change.
+# Use `--action_env=ENV_VARIABLE` if you want to inherit specific environment variables from the
+# client, but note that doing so can prevent cross-user caching if a shared cache is used.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_strict_action_env
+build --incompatible_strict_action_env
+
+# Propagate tags from a target declaration to the actions' execution requirements.
+# Ensures that tags applied in your BUILD file, like `tags=["no-remote"]`
+# get propagated to actions created by the rule.
+# Without this option, you rely on rules authors to manually check the tags you passed
+# and apply relevant ones to the actions they create.
+# See https://github.com/bazelbuild/bazel/issues/8830 for details.
+# Docs: https://bazel.build/reference/command-line-reference#flag--experimental_allow_tags_propagation
+build --experimental_allow_tags_propagation
+fetch --experimental_allow_tags_propagation
+query --experimental_allow_tags_propagation
+
+# Do not automatically create `__init__.py` files in the runfiles of Python targets. Fixes the wrong
+# default that comes from Google's internal monorepo by using `__init__.py` to delimit a Python
+# package. Precisely, when a `py_binary` or `py_test` target has `legacy_create_init` set to `auto (the
+# default), it is treated as false if and only if this flag is set. See
+# https://github.com/bazelbuild/bazel/issues/10076.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_default_to_explicit_init_py
+build --incompatible_default_to_explicit_init_py
diff --git a/.aspect/bazelrc/debug.bazelrc b/.aspect/bazelrc/debug.bazelrc
@@ -0,0 +1,19 @@
+############################################################
+# Use `bazel test --config=debug` to enable these settings #
+############################################################
+
+# Stream stdout/stderr output from each test in real-time.
+# Docs: https://bazel.build/docs/user-manual#test-output
+test:debug --test_output=streamed
+
+# Run one test at a time.
+# Docs: https://bazel.build/reference/command-line-reference#flag--test_strategy
+test:debug --test_strategy=exclusive
+
+# Prevent long running tests from timing out.
+# Docs: https://bazel.build/docs/user-manual#test-timeout
+test:debug --test_timeout=9999
+
+# Always run tests even if they have cached results.
+# Docs: https://bazel.build/docs/user-manual#cache-test-results
+test:debug --nocache_test_results
diff --git a/.aspect/bazelrc/javascript.bazelrc b/.aspect/bazelrc/javascript.bazelrc
@@ -0,0 +1,28 @@
+# Aspect recommended Bazel flags when using Aspect's JavaScript rules: https://github.com/aspect-build/rules_js
+# Docs for Node.js flags: https://nodejs.org/en/docs/guides/debugging-getting-started/#command-line-options
+
+# Support for debugging Node.js tests. Use bazel run with `--config=debug` to turn on the NodeJS
+# inspector agent. The node process will break before user code starts and wait for the debugger to
+# connect. Pass the --inspect-brk option to all tests which enables the node inspector agent. See
+# https://nodejs.org/de/docs/guides/debugging-getting-started/#command-line-options for more
+# details.
+# Docs: https://nodejs.org/en/docs/guides/debugging-getting-started/#command-line-options
+run:debug -- --node_options=--inspect-brk
+
+# Enable runfiles on all platforms. Runfiles are on by default on Linux and MacOS but off on
+# Windows.
+#
+# In general, rules_js and derivate rule sets assume that runfiles are enabled and do not support no
+# runfiles case because it does not scale to teach all Node.js tools to use the runfiles manifest.
+#
+# If you are developing on Windows, you must either run bazel with administrator privileges or
+# enable developer mode. If you do not you may hit this error on Windows:
+#
+#   Bazel needs to create symlinks to build the runfiles tree.
+#   Creating symlinks on Windows requires one of the following:
+#       1. Bazel is run with administrator privileges.
+#       2. The system version is Windows 10 Creators Update (1703) or later
+#          and developer mode is enabled.
+#
+# Docs: https://bazel.build/reference/command-line-reference#flag--enable_runfiles
+build --enable_runfiles
diff --git a/.aspect/bazelrc/performance.bazelrc b/.aspect/bazelrc/performance.bazelrc
@@ -0,0 +1,54 @@
+# Merkle tree calculations will be memoized to improve the remote cache hit checking speed. The
+# memory foot print of the cache is controlled by `--experimental_remote_merkle_tree_cache_size`.
+# Docs: https://bazel.build/reference/command-line-reference#flag--experimental_remote_merkle_tree_cache
+build --experimental_remote_merkle_tree_cache
+query --experimental_remote_merkle_tree_cache
+
+# The number of Merkle trees to memoize to improve the remote cache hit checking speed. Even though
+# the cache is automatically pruned according to Java's handling of soft references, out-of-memory
+# errors can occur if set too high. If set to 0 the cache size is unlimited. Optimal value varies
+# depending on project's size.
+# Docs: https://bazel.build/reference/command-line-reference#flag--experimental_remote_merkle_tree_cache_size
+build --experimental_remote_merkle_tree_cache_size=1000
+query --experimental_remote_merkle_tree_cache_size=1000
+
+# Speed up all builds by not checking if output files have been modified. Lets you make changes to
+# the output tree without triggering a build for local debugging. For example, you can modify
+# [rules_js](https://github.com/aspect-build/rules_js) 3rd party npm packages in the output tree
+# when local debugging.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/pkgcache/PackageOptions.java#L185
+build --noexperimental_check_output_files
+fetch --noexperimental_check_output_files
+query --noexperimental_check_output_files
+
+# Don't apply `--noremote_upload_local_results` and `--noremote_accept_cached` to the disk cache.
+# If you have both `--noremote_upload_local_results` and `--disk_cache`, then this fixes a bug where
+# Bazel doesn't write to the local disk cache as it treats as a remote cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_remote_results_ignore_disk
+build --incompatible_remote_results_ignore_disk
+
+# Directories used by sandboxed non-worker execution may be reused to avoid unnecessary setup costs.
+# Save time on Sandbox creation and deletion when many of the same kind of action run during the
+# build.
+# No longer experimental in Bazel 6: https://github.com/bazelbuild/bazel/commit/c1a95501a5611878e5cc43a3cc531f2b9e47835b
+# Docs: https://bazel.build/reference/command-line-reference#flag--reuse_sandbox_directories
+build --experimental_reuse_sandbox_directories
+
+# Do not build runfiles symlink forests for external repositories under
+# `.runfiles/wsname/external/repo` (in addition to `.runfiles/repo`). This reduces runfiles &
+# sandbox creation times & prevents accidentally depending on this feature which may flip to off by
+# default in the future. Note, some rules may fail under this flag, please file issues with the rule
+# author.
+# Docs: https://bazel.build/reference/command-line-reference#flag--legacy_external_runfiles
+build --nolegacy_external_runfiles
+run --nolegacy_external_runfiles
+test --nolegacy_external_runfiles
+
+# Some actions are always IO-intensive but require little compute. It's wasteful to put the output
+# in the remote cache, it just saturates the network and fills the cache storage causing earlier
+# evictions. It's also not worth sending them for remote execution.
+# For actions like PackageTar it's usually faster to just re-run the work locally every time.
+# You'll have to look at an execution log to figure out what other action mnemonics you care about.
+# In some cases you may need to patch rulesets to add a mnemonic to actions that don't have one.
+# https://bazel.build/reference/command-line-reference#flag--modify_execution_info
+build --modify_execution_info=PackageTar=+no-remote
diff --git a/.bazelignore b/.bazelignore
@@ -0,0 +1,4 @@
+cmd
+bench
+examples
+tools
diff --git a/.bazelrc b/.bazelrc
@@ -0,0 +1 @@
+import %workspace%/.aspect/bazelrc/bazel6.bazelrc
diff --git a/.bazelversion b/.bazelversion
@@ -0,0 +1 @@
+6.0.0
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -10,6 +10,7 @@ The following is a set of guidelines that we ask you to follow when you contribu
 * [Please Be Nice](#please-be-nice)
 * [Please Use Correct Medium (GitHub Issues / Discussions)](#please-use-correct-medium-github-issues--discussions)
 * [Please Include (Pseudo)code for Any Technical Issues](#please-include-pseudocode-for-any-technical-issues)
+* [Reviewer/Reviewee Guidelines](#reviewer-reviewee-guidelines)
 * [Brown M&M Clause](#brown-mm-clause)
 * [Pull Requests](#pull-requests)
   * [Branches](#branches)
@@ -27,10 +28,11 @@ The following is a set of guidelines that we ask you to follow when you contribu
 
 # Please Be Nice
 
+[Main source; if wording differ, the main source supersedes this copy](https://github.com/lestrrat-go/contributions/blob/main/Contributions.md)
+
 Please be nice when you contact us.
 
-We are very glad that you find this project useful, and we intend to provide software
-that help you.
+We are very glad that you find this project useful, and we intend to provide software that help you.
 
 You do not have to thank us, but please bare in mind that this is an opensource project that is provided **as-is**.
 This means that we are **NOT** obligated to support you, work for you, do your homework/research for you,
@@ -46,15 +48,18 @@ We are willing to help, but only as long as you are being nice to us.
 
 # Please Use Correct Medium (GitHub Issues / Discussions)
 
+[Main source; this is a specialized version copied from the main source](https://github.com/lestrrat-go/contributions/blob/main/Contributions.md)
+
 This project uses [GitHub Issues](https://github.com/lestrrat-go/jwx/issues) to deal with technical issues
-including bug reports, proposing new API, and otherwise issues that
-are directly actionable.
+including bug reports, proposing new API, and otherwise issues that are directly actionable.
 
 Inquiries, questions about the usage, maintenance policies, and other open-ended
 questions/discussions should be posted to [GitHub Discussions](https://github.com/lestrrat-go/jwx/discussions).
 
 # Please Include (Pseudo)code for Any Technical Issues
 
+[Main source; if wording differ, the main source supersedes this copy](https://github.com/lestrrat-go/contributions/blob/main/Contributions.md)
+
 Your report should contain clear, concise description of the issue that you are facing.
 However, at the same time please always include (pseudo)code in report.
 
@@ -75,6 +80,11 @@ your code.
 
 Please help us help you by providing us with a reproducible code.
 
+# Reviewer/Reviewee Guidelines
+
+If you are curious about what what gets reviewed and why some decisions
+are made the way they are, please read [this document](https://github.com/lestrrat-go/contributions/blob/main/Reviews.md) to get some insight into the thinking process.
+
 # Brown M&M Clause
 
 If you came here from an issue/PR template, please make sure to delete