chore(deps): update gomod

test: replace mock pkg/clock with narrowly targeted stub clocks. (#3238 )
The package under pkg/clock is github.com/benbjohnson/clock, which is archived. It's also way more complex than is what is actually needed here, so we can entirely remove the dependency and remove the helper package. Fixes #2840. Signed-off-by: David Symonds <dsymonds@gmail.com>
2025-10-28 09:06:01 +00:00 · 2025-10-28 10:05:02 +01:00 · 2025-10-28 09:54:10 +01:00 · 2025-10-28 09:13:35 +01:00 · 2025-10-28 08:48:23 +01:00 · 2025-10-28 08:40:51 +01:00
38 changed files with 261 additions and 761 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -17,7 +17,7 @@ jobs:
      uses: actions/checkout@v5
    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version-file: go.mod
      id: go
@ -25,7 +25,7 @@ jobs:
    - name: Get dependencies
      env:
        # renovate: datasource=github-tags depName=golangci/golangci-lint
-        GOLANGCI_LINT_VERSION: v2.4.0
+        GOLANGCI_LINT_VERSION: v2.5.0
      run: |
        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
        curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@ -54,7 +54,7 @@ jobs:
        git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
    - name: Setup node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
      with:
        node-version-file: docs/package.json
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -20,7 +20,7 @@ jobs:
        id: pages
        uses: actions/configure-pages@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
        with:
          # renovate: datasource=node-version depName=node
          node-version: 22
@ -37,7 +37,7 @@ jobs:
    steps:
      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
        with:
          # renovate: datasource=node-version depName=node
          node-version: 22
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -9,7 +9,7 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@v6
        with:
          sync-labels: true
          dot: true
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@ -43,14 +43,14 @@ jobs:
      id: tag
    - name: Set up go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version-file: go.mod
    - name: Get dependencies
      env:
        # renovate: datasource=github-tags depName=golangci/golangci-lint
-        GOLANGCI_LINT_VERSION: v2.4.0
+        GOLANGCI_LINT_VERSION: v2.5.0
      run: |
        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
        curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
@ -64,7 +64,7 @@ jobs:
    # Upload artifacts in case of workflow failure
    - name: Upload Artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
      with:
        name: oauth2-proxy-artifacts
        path: |
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v10
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        days-before-stale: 180
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,10 @@
 ## Changes since v7.12.0
 - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
 - [#3244](https://github.com/oauth2-proxy/oauth2-proxy/pull/3244) chore(deps): upgrade to latest go1.25.3 (@tuunit)
 - [#3238](https://github.com/oauth2-proxy/oauth2-proxy/pull/3238) chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds)
 # V7.12.0
 ## Release Highlights
@ -119,7 +123,7 @@ For detailed information, migration guidance, and security implications, see the
 - 🕵️‍♀️ Vulnerabilities have been addressed
  - [CVE-2025-22871](https://github.com/advisories/GHSA-g9pc-8g42-g6vq)
 - 🐛 Squashed some bugs
-  
+
 ## Important Notes
 ## Breaking Changes
--- a/25
+++ b/25
@ -36,13 +36,12 @@ REPOSITORY ?= oauth2-proxy
 DATE := $(shell date +"%Y%m%d")
 .NOTPARALLEL:
-GO_MAJOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f1)
+# The go version in go.mod used for the Docker build toolchain, without the patch
-GO_MINOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f2)
+GO_MOD_VERSION_MINOR := $(shell $(GO) list -f '{{printf "%.4s" .Module.GoVersion}}' )
-GO_MOD_VERSION = $(shell sed -En 's/^go ([[:digit:]]\.[[:digit:]]+)\.[[:digit:]]+/\1/p' go.mod)
+# From go1.21 go will transparently download the toolchain declared in go.mod. https://go.dev/doc/toolchain
-MINIMUM_SUPPORTED_GO_MAJOR_VERSION = $(shell echo ${GO_MOD_VERSION} | cut -d' ' -f1 | cut -d'.' -f1)
+# We don't need to keep this message updated: the important info is in go.mod.
-MINIMUM_SUPPORTED_GO_MINOR_VERSION = $(shell echo ${GO_MOD_VERSION} | cut -d' ' -f1 | cut -d'.' -f2)
+GO_VERSION_VALIDATION_ERR_MSG = Golang version is not supported, please update to at least go1.21
 GO_VERSION_VALIDATION_ERR_MSG = Golang version is not supported, please update to at least $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION).$(MINIMUM_SUPPORTED_GO_MINOR_VERSION)
 ifeq ($(COVER),true)
 TESTCOVER ?= -coverprofile c.out
@ -56,7 +55,7 @@ build: validate-go-version clean $(BINARY) ## Build and create oauth2-proxy bina
 $(BINARY):
 	CGO_ENABLED=0 $(GO) build -a -installsuffix cgo -ldflags="-X github.com/oauth2-proxy/oauth2-proxy/v7/pkg/version.VERSION=${VERSION}" -o $@ github.com/oauth2-proxy/oauth2-proxy/v7
-DOCKER_BUILDX_COMMON_ARGS     ?= --build-arg BUILD_IMAGE=docker.io/library/golang:${GO_MOD_VERSION}-bookworm --build-arg VERSION=${VERSION}
+DOCKER_BUILDX_COMMON_ARGS     ?= --build-arg BUILD_IMAGE=docker.io/library/golang:$(GO_MOD_VERSION_MINOR)-bookworm --build-arg VERSION=$(VERSION)
 DOCKER_BUILD_PLATFORM         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7,linux/s390x
 DOCKER_BUILD_RUNTIME_IMAGE    ?= gcr.io/distroless/static:nonroot
@ -67,7 +66,7 @@ DOCKER_BUILDX_PUSH            := $(DOCKER_BUILDX) --push
 DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM}
 DOCKER_BUILD_PLATFORM_ALPINE         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7,linux/s390x
-DOCKER_BUILD_RUNTIME_IMAGE_ALPINE    ?= alpine:3.22.1
+DOCKER_BUILD_RUNTIME_IMAGE_ALPINE    ?= alpine:3.22.2
 DOCKER_BUILDX_ARGS_ALPINE            ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} ${DOCKER_BUILDX_COMMON_ARGS}
 DOCKER_BUILDX_X_PLATFORM_ALPINE      := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE}
 DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push
@ -158,15 +157,7 @@ lint: validate-go-version ## Lint all files using golangci-lint
 .PHONY: validate-go-version
 validate-go-version: ## Validate Go environment requirements
-	@if [ $(GO_MAJOR_VERSION) -gt $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION) ]; then \
+	@$(GO) list . >/dev/null || { echo '$(GO_VERSION_VALIDATION_ERR_MSG)'; exit 1; }
 		exit 0 ;\
 	elif [ $(GO_MAJOR_VERSION) -lt $(MINIMUM_SUPPORTED_GO_MAJOR_VERSION) ]; then \
 		echo '$(GO_VERSION_VALIDATION_ERR_MSG)';\
 		exit 1; \
 	elif [ $(GO_MINOR_VERSION) -lt $(MINIMUM_SUPPORTED_GO_MINOR_VERSION) ] ; then \
 		echo '$(GO_VERSION_VALIDATION_ERR_MSG)';\
 		exit 1; \
 	fi
 # local-env can be used to interact with the local development environment
 # eg:
--- a/contrib/local-environment/docker-compose-gitea.yaml
+++ b/contrib/local-environment/docker-compose-gitea.yaml
@ -39,7 +39,7 @@ services:
      httpbin: {}
  gitea:
-    image: gitea/gitea:1.24.5
+    image: gitea/gitea:1.24.7
    container_name: gitea
    environment:
      - USER_UID=1000
--- a/contrib/local-environment/docker-compose-nginx.yaml
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@ -55,7 +55,7 @@ services:
      httpbin: {}
  dex:
    container_name: dex
-    image: ghcr.io/dexidp/dex:v2.43.1
+    image: ghcr.io/dexidp/dex:v2.44.0
    command: dex serve /dex.yaml
    hostname: dex
    volumes:
@ -78,7 +78,7 @@ services:
      httpbin: {}
  etcd:
    container_name: etcd
-    image: gcr.io/etcd-development/etcd:v3.6.4
+    image: gcr.io/etcd-development/etcd:v3.6.5
    entrypoint: /usr/local/bin/etcd
    command:
      - --listen-client-urls=http://0.0.0.0:2379
--- a/contrib/local-environment/docker-compose-traefik.yaml
+++ b/contrib/local-environment/docker-compose-traefik.yaml
@ -34,7 +34,7 @@ services:
  # Reverse proxy
  gateway:
    container_name: traefik
-    image: traefik:v2.11.28
+    image: traefik:v2.11.29
    volumes:
      - "./traefik:/etc/traefik"
    ports:
--- a/contrib/local-environment/docker-compose.yaml
+++ b/contrib/local-environment/docker-compose.yaml
@ -29,7 +29,7 @@ services:
      - httpbin
  dex:
    container_name: dex
-    image: ghcr.io/dexidp/dex:v2.43.1
+    image: ghcr.io/dexidp/dex:v2.44.0
    command: dex serve /dex.yaml
    hostname: dex
    volumes:
@ -52,7 +52,7 @@ services:
      httpbin: {}
  etcd:
    container_name: etcd
-    image: gcr.io/etcd-development/etcd:v3.6.4
+    image: gcr.io/etcd-development/etcd:v3.6.5
    entrypoint: /usr/local/bin/etcd
    command:
      - --listen-client-urls=http://0.0.0.0:2379
--- a/contrib/local-environment/kubernetes/Chart.lock
+++ b/contrib/local-environment/kubernetes/Chart.lock
@ -1,15 +1,15 @@
 dependencies:
 - name: dex
  repository: https://charts.dexidp.io
-  version: 0.23.0
+  version: 0.24.0
 - name: oauth2-proxy
  repository: https://oauth2-proxy.github.io/manifests
-  version: 7.14.1
+  version: 7.18.0
 - name: httpbin
  repository: https://conservis.github.io/helm-charts
  version: 1.1.0
 - name: hello-world
  repository: https://conservis.github.io/helm-charts
  version: 1.1.0
-digest: sha256:9b18e072db6863053c2967d023929ab4b9c03b6bd84f6529d90fe7a9ec5e315f
+digest: sha256:fee913531bfb67e5555e995d8fb040c330e6eb4b5a8c777ceb9841135ea9bb84
-generated: "2025-07-20T08:56:43.559585022Z"
+generated: "2025-10-28T06:46:35.38300324Z"
--- a/contrib/local-environment/kubernetes/Chart.yaml
+++ b/contrib/local-environment/kubernetes/Chart.yaml
@ -3,10 +3,10 @@ description: K8S example based on https://kind.sigs.k8s.io
 name: kubernetes
 dependencies:
  - name: dex
-    version: 0.23.0
+    version: 0.24.0
    repository: https://charts.dexidp.io
  - name: oauth2-proxy
-    version: &chartVersion 7.14.1
+    version: &chartVersion 7.18.0
    repository: https://oauth2-proxy.github.io/manifests
  # https://github.com/postmanlabs/httpbin/issues/549 is still in progress, for now using a non-official chart
  - name: httpbin
--- a/docs/docs/configuration/integration.md
+++ b/docs/docs/configuration/integration.md
@ -77,23 +77,15 @@ server {
 }
 ```
-When you use ingress-nginx in Kubernetes, you MUST use `kubernetes/ingress-nginx` (which includes the Lua module) and the following configuration snippet for your `Ingress`.
+When you use ingress-nginx in Kubernetes, you can configure the same behavior with the following annotations on your Ingress resource:
 Variables set with `auth_request_set` are not `set`-able in plain nginx config when the location is processed via `proxy_pass` and then may only be processed by Lua.
 Note that `nginxinc/kubernetes-ingress` does not include the Lua module.
 ```yaml
-nginx.ingress.kubernetes.io/auth-response-headers: Authorization
+nginx.ingress.kubernetes.io/auth-url: "https://<oauth2-proxy-fqdn>/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+nginx.ingress.kubernetes.io/auth-signin: "https://<oauth2-proxy-fqdn>/oauth2/start?rd=$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
 nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;
  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }
 ```
 This minimal configuration works for standard authentication flows. Lua/cookie handling is only needed for advanced scenarios (e.g., multi-part cookies, custom session logic). See the official ingress-nginx example: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/.
 It is recommended to use `--session-store-type=redis` when expecting large sessions/OIDC tokens (_e.g._ with MS Azure).
 You have to substitute *name* with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".
--- a/docs/docs/configuration/providers/ms_entra_id.md
+++ b/docs/docs/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/docs/versioned_docs/version-7.10.x/configuration/integration.md
+++ b/docs/versioned_docs/version-7.10.x/configuration/integration.md
@ -77,23 +77,15 @@ server {
 }
 ```
-When you use ingress-nginx in Kubernetes, you MUST use `kubernetes/ingress-nginx` (which includes the Lua module) and the following configuration snippet for your `Ingress`.
+When you use ingress-nginx in Kubernetes, you can configure the same behavior with the following annotations on your Ingress resource:
 Variables set with `auth_request_set` are not `set`-able in plain nginx config when the location is processed via `proxy_pass` and then may only be processed by Lua.
 Note that `nginxinc/kubernetes-ingress` does not include the Lua module.
 ```yaml
-nginx.ingress.kubernetes.io/auth-response-headers: Authorization
+nginx.ingress.kubernetes.io/auth-url: "https://<oauth2-proxy-fqdn>/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+nginx.ingress.kubernetes.io/auth-signin: "https://<oauth2-proxy-fqdn>/oauth2/start?rd=$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
 nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;
  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }
 ```
 This minimal configuration works for standard authentication flows. Lua/cookie handling is only needed for advanced scenarios (e.g., multi-part cookies, custom session logic). See the official ingress-nginx example: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/.
 It is recommended to use `--session-store-type=redis` when expecting large sessions/OIDC tokens (_e.g._ with MS Azure).
 You have to substitute *name* with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".
--- a/docs/versioned_docs/version-7.10.x/configuration/providers/ms_entra_id.md
+++ b/docs/versioned_docs/version-7.10.x/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/docs/versioned_docs/version-7.11.x/configuration/integration.md
+++ b/docs/versioned_docs/version-7.11.x/configuration/integration.md
@ -77,23 +77,15 @@ server {
 }
 ```
-When you use ingress-nginx in Kubernetes, you MUST use `kubernetes/ingress-nginx` (which includes the Lua module) and the following configuration snippet for your `Ingress`.
+When you use ingress-nginx in Kubernetes, you can configure the same behavior with the following annotations on your Ingress resource:
 Variables set with `auth_request_set` are not `set`-able in plain nginx config when the location is processed via `proxy_pass` and then may only be processed by Lua.
 Note that `nginxinc/kubernetes-ingress` does not include the Lua module.
 ```yaml
-nginx.ingress.kubernetes.io/auth-response-headers: Authorization
+nginx.ingress.kubernetes.io/auth-url: "https://<oauth2-proxy-fqdn>/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+nginx.ingress.kubernetes.io/auth-signin: "https://<oauth2-proxy-fqdn>/oauth2/start?rd=$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
 nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;
  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }
 ```
 This minimal configuration works for standard authentication flows. Lua/cookie handling is only needed for advanced scenarios (e.g., multi-part cookies, custom session logic). See the official ingress-nginx example: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/.
 It is recommended to use `--session-store-type=redis` when expecting large sessions/OIDC tokens (_e.g._ with MS Azure).
 You have to substitute *name* with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".
--- a/docs/versioned_docs/version-7.11.x/configuration/providers/ms_entra_id.md
+++ b/docs/versioned_docs/version-7.11.x/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/docs/versioned_docs/version-7.12.x/configuration/integration.md
+++ b/docs/versioned_docs/version-7.12.x/configuration/integration.md
@ -77,23 +77,15 @@ server {
 }
 ```
-When you use ingress-nginx in Kubernetes, you MUST use `kubernetes/ingress-nginx` (which includes the Lua module) and the following configuration snippet for your `Ingress`.
+When you use ingress-nginx in Kubernetes, you can configure the same behavior with the following annotations on your Ingress resource:
 Variables set with `auth_request_set` are not `set`-able in plain nginx config when the location is processed via `proxy_pass` and then may only be processed by Lua.
 Note that `nginxinc/kubernetes-ingress` does not include the Lua module.
 ```yaml
-nginx.ingress.kubernetes.io/auth-response-headers: Authorization
+nginx.ingress.kubernetes.io/auth-url: "https://<oauth2-proxy-fqdn>/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+nginx.ingress.kubernetes.io/auth-signin: "https://<oauth2-proxy-fqdn>/oauth2/start?rd=$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
 nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;
  access_by_lua_block {
    if ngx.var.name_upstream_1 ~= "" then
      ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
    end
  }
 ```
 This minimal configuration works for standard authentication flows. Lua/cookie handling is only needed for advanced scenarios (e.g., multi-part cookies, custom session logic). See the official ingress-nginx example: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/.
 It is recommended to use `--session-store-type=redis` when expecting large sessions/OIDC tokens (_e.g._ with MS Azure).
 You have to substitute *name* with the actual cookie name you configured via --cookie-name parameter. If you don't set a custom cookie name the variable  should be "$upstream_cookie__oauth2_proxy_1" instead of "$upstream_cookie_name_1" and the new cookie-name should be "_oauth2_proxy_1=" instead of "name_1=".
--- a/docs/versioned_docs/version-7.12.x/configuration/providers/ms_entra_id.md
+++ b/docs/versioned_docs/version-7.12.x/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/docs/versioned_docs/version-7.8.x/configuration/providers/ms_entra_id.md
+++ b/docs/versioned_docs/version-7.8.x/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/docs/versioned_docs/version-7.9.x/configuration/providers/ms_entra_id.md
+++ b/docs/versioned_docs/version-7.9.x/configuration/providers/ms_entra_id.md
@ -112,7 +112,7 @@ insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
-* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
+* Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by different tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
--- a/go.mod
+++ b/go.mod
@ -1,57 +1,57 @@
 module github.com/oauth2-proxy/oauth2-proxy/v7
-go 1.24.6
+go 1.25.3
 require (
-	cloud.google.com/go/compute/metadata v0.7.0
+	cloud.google.com/go/compute/metadata v0.9.0
 	github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb
 	github.com/a8m/envsubst v1.4.3
 	github.com/alicebob/miniredis/v2 v2.35.0
 	github.com/benbjohnson/clock v1.3.5
 	github.com/bitly/go-simplejson v0.5.1
 	github.com/bsm/redislock v0.9.4
-	github.com/coreos/go-oidc/v3 v3.14.1
+	github.com/coreos/go-oidc/v3 v3.16.0
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/go-viper/mapstructure/v2 v2.4.0
-	github.com/golang-jwt/jwt/v5 v5.2.3
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/justinas/alice v1.2.0
 	github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
-	github.com/onsi/ginkgo/v2 v2.23.4
+	github.com/onsi/ginkgo/v2 v2.27.2
-	github.com/onsi/gomega v1.37.0
+	github.com/onsi/gomega v1.38.2
 	github.com/pierrec/lz4/v4 v4.1.22
-	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_golang v1.23.2
-	github.com/redis/go-redis/v9 v9.11.0
+	github.com/redis/go-redis/v9 v9.16.0
-	github.com/spf13/cast v1.9.2
+	github.com/spf13/cast v1.10.0
-	github.com/spf13/pflag v1.0.7
+	github.com/spf13/pflag v1.0.10
-	github.com/spf13/viper v1.20.1
+	github.com/spf13/viper v1.21.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/vmihailenco/msgpack/v5 v5.4.1
-	golang.org/x/crypto v0.40.0
+	golang.org/x/crypto v0.43.0
-	golang.org/x/net v0.42.0
+	golang.org/x/net v0.46.0
-	golang.org/x/oauth2 v0.30.0
+	golang.org/x/oauth2 v0.32.0
-	golang.org/x/sync v0.16.0
+	golang.org/x/sync v0.17.0
-	google.golang.org/api v0.242.0
+	google.golang.org/api v0.253.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/apimachinery v0.33.3
+	k8s.io/apimachinery v0.34.1
 )
 require (
-	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
@ -64,12 +64,12 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
-	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
@ -80,12 +80,15 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	golang.org/x/sys v0.37.0 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/tools v0.37.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251014184007-4626949a642f // indirect
 	google.golang.org/grpc v1.76.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,21 +1,25 @@
 cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
 cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
 cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
 cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
 cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb h1:ZVN4Iat3runWOFLaBCDVU5a9X/XikSRBosye++6gojw=
 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb/go.mod h1:WsAABbY4HQBgd3mGuG4KMNTbHJCPvx9IVBHzysbknss=
 github.com/FZambia/sentinel v1.0.0 h1:KJ0ryjKTZk5WMp0dXvSdNqp3lFaW1fNFuEYfrkLOYIc=
 github.com/FZambia/sentinel v1.0.0/go.mod h1:ytL1Am/RLlAoAXG6Kj5LNuw/TRRQrv2rt2FT26vP5gI=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/a8m/envsubst v1.4.3 h1:kDF7paGK8QACWYaQo6KtyYBozY2jhQrTuNNuUxQkhJY=
 github.com/a8m/envsubst v1.4.3/go.mod h1:4jjHWQlZoaXPoLQUb7H2qT4iLkZDdmEQiOUogdUmqVU=
 github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
 github.com/alicebob/miniredis/v2 v2.11.1/go.mod h1:UA48pmi7aSazcGAvcdKcBB49z521IC9VjTTRz2nIaJE=
 github.com/alicebob/miniredis/v2 v2.35.0 h1:QwLphYqCEAo1eu1TqPRN2jgVMPBweeQcR21jeqDCONI=
 github.com/alicebob/miniredis/v2 v2.35.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-simplejson v0.5.1 h1:xgwPbetQScXt1gh9BmoJ6j9JMr3TElvuIyjR8pgdoow=
@ -35,6 +39,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
 github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
 github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -54,6 +60,8 @@ github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFS
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
 github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@ -61,14 +69,12 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
 github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
 github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3 h1:6amM4HsNPOvMLVc2ZnyqrjeQ92YAVWn7T4WBKK87inY=
@ -85,8 +91,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0=
 github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@ -111,8 +115,12 @@ github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3Tc
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
 github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
 github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
@ -124,34 +132,52 @@ github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
 github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
 github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
 github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/redis/go-redis/v9 v9.11.0 h1:E3S08Gl/nJNn5vkxd2i78wZxWAPNZgUNTp8WIJUAiIs=
 github.com/redis/go-redis/v9 v9.11.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/redis/go-redis/v9 v9.16.0 h1:OotgqgLSRCmzfqChbQyG1PHC3tLNR89DG4jdOERSEP4=
 github.com/redis/go-redis/v9 v9.16.0/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/sagikazarmark/locafero v0.9.0 h1:GbgQGNtTrEmddYDSAH9QLRyfAHY12md+8YFTqyMTC9k=
 github.com/sagikazarmark/locafero v0.9.0/go.mod h1:UBUyz37V+EdMS3hDF3QWIiVr/2dPrx49OMO0Bn0hJqk=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
 github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.9.2 h1:SsGfm7M8QOFtEzumm7UZrZdLLquNdzFYfIbEXntcFbE=
 github.com/spf13/cast v1.9.2/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
 github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
@ -183,33 +209,41 @@ go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
 golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
 golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
 golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
 golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
 golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
 golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -219,10 +253,10 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
 golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@ -234,41 +268,41 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
 golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
 golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
 golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
 golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
 golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.240.0 h1:PxG3AA2UIqT1ofIzWV2COM3j3JagKTKSwy7L6RHNXNU=
 google.golang.org/api v0.240.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
 google.golang.org/api v0.241.0 h1:QKwqWQlkc6O895LchPEDUSYr22Xp3NCxpQRiWTB6avE=
 google.golang.org/api v0.241.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
 google.golang.org/api v0.242.0 h1:7Lnb1nfnpvbkCiZek6IXKdJ0MFuAZNAJKQfA1ws62xg=
 google.golang.org/api v0.242.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
-google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
+google.golang.org/api v0.253.0 h1:apU86Eq9Q2eQco3NsUYFpVTfy7DwemojL7LmbAj7g/I=
-google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
+google.golang.org/api v0.253.0/go.mod h1:PX09ad0r/4du83vZVAaGg7OaeyGnaUmT/CYPNvtLCbw=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
 google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=
 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
+google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251014184007-4626949a642f h1:1FTH6cpXFsENbPR5Bu8NQddPSaUUE6NA2XdZdDSAJK4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251014184007-4626949a642f/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
 google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
 google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@ -280,7 +314,7 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
 k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
 k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
 k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
--- a/pkg/apis/sessions/session_state.go
+++ b/pkg/apis/sessions/session_state.go
@ -7,7 +7,6 @@ import (
 	"io"
 	"time"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption"
 	"github.com/pierrec/lz4/v4"
 	"github.com/vmihailenco/msgpack/v5"
@ -30,8 +29,15 @@ type SessionState struct {
 	PreferredUsername string   `msgpack:"pu,omitempty"`
 	// Internal helpers, not serialized
-	Clock clock.Clock `msgpack:"-"`
+	Clock func() time.Time `msgpack:"-"` // override for time.Now, for testing
-	Lock  Lock        `msgpack:"-"`
+	Lock  Lock             `msgpack:"-"`
 }
 func (s *SessionState) now() time.Time {
 	if s.Clock != nil {
 		return s.Clock()
 	}
 	return time.Now()
 }
 func (s *SessionState) ObtainLock(ctx context.Context, expiration time.Duration) error {
@ -64,7 +70,7 @@ func (s *SessionState) PeekLock(ctx context.Context) (bool, error) {
 // CreatedAtNow sets a SessionState's CreatedAt to now
 func (s *SessionState) CreatedAtNow() {
-	now := s.Clock.Now()
+	now := s.now()
 	s.CreatedAt = &now
 }
@ -85,7 +91,7 @@ func (s *SessionState) ExpiresIn(d time.Duration) {
 // IsExpired checks whether the session has expired
 func (s *SessionState) IsExpired() bool {
-	if s.ExpiresOn != nil && !s.ExpiresOn.IsZero() && s.ExpiresOn.Before(s.Clock.Now()) {
+	if s.ExpiresOn != nil && !s.ExpiresOn.IsZero() && s.ExpiresOn.Before(s.now()) {
 		return true
 	}
 	return false
@ -94,7 +100,7 @@ func (s *SessionState) IsExpired() bool {
 // Age returns the age of a session
 func (s *SessionState) Age() time.Duration {
 	if s.CreatedAt != nil && !s.CreatedAt.IsZero() {
-		return s.Clock.Now().Truncate(time.Second).Sub(*s.CreatedAt)
+		return s.now().Truncate(time.Second).Sub(*s.CreatedAt)
 	}
 	return 0
 }
--- a/pkg/apis/sessions/session_state_test.go
+++ b/pkg/apis/sessions/session_state_test.go
@ -22,7 +22,7 @@ func TestCreatedAtNow(t *testing.T) {
 	ss := &SessionState{}
 	now := time.Unix(1234567890, 0)
-	ss.Clock.Set(now)
+	ss.Clock = func() time.Time { return now }
 	ss.CreatedAtNow()
 	g.Expect(*ss.CreatedAt).To(Equal(now))
@ -33,9 +33,9 @@ func TestExpiresIn(t *testing.T) {
 	ss := &SessionState{}
 	now := time.Unix(1234567890, 0)
-	ss.Clock.Set(now)
+	ss.Clock = func() time.Time { return now }
-	ttl := time.Duration(743) * time.Second
+	ttl := 743 * time.Second
 	ss.ExpiresIn(ttl)
 	g.Expect(*ss.ExpiresOn).To(Equal(ss.CreatedAt.Add(ttl)))
--- a/pkg/clock/clock.go
+++ b/pkg/clock/clock.go
@ -1,157 +0,0 @@
 package clock
 import (
 	"errors"
 	"sync"
 	"time"
 	clockapi "github.com/benbjohnson/clock"
 )
 var (
 	globalClock = clockapi.New()
 	mu          sync.Mutex
 )
 // Set the global clock to a clockapi.Mock with the given time.Time
 func Set(t time.Time) {
 	mu.Lock()
 	defer mu.Unlock()
 	mock, ok := globalClock.(*clockapi.Mock)
 	if !ok {
 		mock = clockapi.NewMock()
 	}
 	mock.Set(t)
 	globalClock = mock
 }
 // Add moves the mocked global clock forward the given duration. It will error
 // if the global clock is not mocked.
 func Add(d time.Duration) error {
 	mu.Lock()
 	defer mu.Unlock()
 	mock, ok := globalClock.(*clockapi.Mock)
 	if !ok {
 		return errors.New("time not mocked")
 	}
 	mock.Add(d)
 	return nil
 }
 // Reset sets the global clock to a pure time implementation. Returns any
 // existing Mock if set in case lingering time operations are attached to it.
 func Reset() *clockapi.Mock {
 	mu.Lock()
 	defer mu.Unlock()
 	existing := globalClock
 	globalClock = clockapi.New()
 	mock, ok := existing.(*clockapi.Mock)
 	if !ok {
 		return nil
 	}
 	return mock
 }
 // Clock is a non-package level wrapper around time that supports stubbing.
 // It will use its localized stubs (allowing for parallelized unit tests
 // where package level stubbing would cause issues). It falls back to any
 // package level time stubs for non-parallel, cross-package integration
 // testing scenarios.
 //
 // If nothing is stubbed, it defaults to default time behavior in the time
 // package.
 type Clock struct {
 	mock *clockapi.Mock
 }
 // Set sets the Clock to a clock.Mock at the given time.Time
 func (c *Clock) Set(t time.Time) {
 	if c.mock == nil {
 		c.mock = clockapi.NewMock()
 	}
 	c.mock.Set(t)
 }
 // Add moves clock forward time.Duration if it is mocked. It will error
 // if the clock is not mocked.
 func (c *Clock) Add(d time.Duration) error {
 	if c.mock == nil {
 		return errors.New("clock not mocked")
 	}
 	c.mock.Add(d)
 	return nil
 }
 // Reset removes local clock.Mock.  Returns any existing Mock if set in case
 // lingering time operations are attached to it.
 func (c *Clock) Reset() *clockapi.Mock {
 	existing := c.mock
 	c.mock = nil
 	return existing
 }
 func (c *Clock) After(d time.Duration) <-chan time.Time {
 	m := c.mock
 	if m == nil {
 		return globalClock.After(d)
 	}
 	return m.After(d)
 }
 func (c *Clock) AfterFunc(d time.Duration, f func()) *clockapi.Timer {
 	m := c.mock
 	if m == nil {
 		return globalClock.AfterFunc(d, f)
 	}
 	return m.AfterFunc(d, f)
 }
 func (c *Clock) Now() time.Time {
 	m := c.mock
 	if m == nil {
 		return globalClock.Now()
 	}
 	return m.Now()
 }
 func (c *Clock) Since(t time.Time) time.Duration {
 	m := c.mock
 	if m == nil {
 		return globalClock.Since(t)
 	}
 	return m.Since(t)
 }
 func (c *Clock) Sleep(d time.Duration) {
 	m := c.mock
 	if m == nil {
 		globalClock.Sleep(d)
 		return
 	}
 	m.Sleep(d)
 }
 func (c *Clock) Tick(d time.Duration) <-chan time.Time {
 	m := c.mock
 	if m == nil {
 		return globalClock.Tick(d)
 	}
 	return m.Tick(d)
 }
 func (c *Clock) Ticker(d time.Duration) *clockapi.Ticker {
 	m := c.mock
 	if m == nil {
 		return globalClock.Ticker(d)
 	}
 	return m.Ticker(d)
 }
 func (c *Clock) Timer(d time.Duration) *clockapi.Timer {
 	m := c.mock
 	if m == nil {
 		return globalClock.Timer(d)
 	}
 	return m.Timer(d)
 }
--- a/pkg/clock/clock_suite_test.go
+++ b/pkg/clock/clock_suite_test.go
@ -1,17 +0,0 @@
 package clock_test
 import (
 	"testing"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
 func TestClockSuite(t *testing.T) {
 	logger.SetOutput(GinkgoWriter)
 	logger.SetErrOutput(GinkgoWriter)
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "Clock")
 }
--- a/pkg/clock/clock_test.go
+++ b/pkg/clock/clock_test.go
@ -1,380 +0,0 @@
 package clock_test
 import (
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
 const (
 	testGlobalEpoch = 1000000000
 	testLocalEpoch  = 1234567890
 )
 var _ = Describe("Clock suite", func() {
 	var testClock = clock.Clock{}
 	AfterEach(func() {
 		clock.Reset()
 		testClock.Reset()
 	})
 	Context("Global time not overridden", func() {
 		It("errors when trying to Add", func() {
 			err := clock.Add(123 * time.Hour)
 			Expect(err).To(HaveOccurred())
 		})
 		Context("Clock not mocked via Set", func() {
 			const (
 				outsideTolerance = int32(0)
 				withinTolerance  = int32(1)
 			)
 			It("uses time.After for After", func() {
 				var tolerance int32
 				go func() {
 					time.Sleep(10 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, withinTolerance)
 				}()
 				go func() {
 					time.Sleep(30 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, outsideTolerance)
 				}()
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 				<-testClock.After(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				<-testClock.After(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 			})
 			It("uses time.AfterFunc for AfterFunc", func() {
 				var tolerance int32
 				go func() {
 					time.Sleep(10 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, withinTolerance)
 				}()
 				go func() {
 					time.Sleep(30 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, outsideTolerance)
 				}()
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 				var wg sync.WaitGroup
 				wg.Add(1)
 				testClock.AfterFunc(20*time.Millisecond, func() {
 					wg.Done()
 				})
 				wg.Wait()
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				wg.Add(1)
 				testClock.AfterFunc(20*time.Millisecond, func() {
 					wg.Done()
 				})
 				wg.Wait()
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 			})
 			It("uses time.Now for Now", func() {
 				a := time.Now()
 				b := testClock.Now()
 				Expect(b.Sub(a).Round(10 * time.Millisecond)).To(Equal(0 * time.Millisecond))
 			})
 			It("uses time.Since for Since", func() {
 				past := time.Now().Add(-60 * time.Second)
 				Expect(time.Since(past).Round(10 * time.Millisecond)).
 					To(Equal(60 * time.Second))
 			})
 			It("uses time.Sleep for Sleep", func() {
 				var tolerance int32
 				go func() {
 					time.Sleep(10 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, withinTolerance)
 				}()
 				go func() {
 					time.Sleep(30 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, outsideTolerance)
 				}()
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 				testClock.Sleep(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				testClock.Sleep(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 			})
 			It("uses time.Tick for Tick", func() {
 				var tolerance int32
 				go func() {
 					time.Sleep(10 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, withinTolerance)
 				}()
 				go func() {
 					time.Sleep(50 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, outsideTolerance)
 				}()
 				ch := testClock.Tick(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 				<-ch
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				<-ch
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				<-ch
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 			})
 			It("uses time.Ticker for Ticker", func() {
 				var tolerance int32
 				go func() {
 					time.Sleep(10 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, withinTolerance)
 				}()
 				go func() {
 					time.Sleep(50 * time.Millisecond)
 					atomic.StoreInt32(&tolerance, outsideTolerance)
 				}()
 				ticker := testClock.Ticker(20 * time.Millisecond)
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 				<-ticker.C
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				<-ticker.C
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(withinTolerance))
 				<-ticker.C
 				Expect(atomic.LoadInt32(&tolerance)).To(Equal(outsideTolerance))
 			})
 			It("errors if Add is used", func() {
 				err := testClock.Add(100 * time.Second)
 				Expect(err).To(HaveOccurred())
 			})
 		})
 		Context("Clock mocked via Set", func() {
 			var now = time.Unix(testLocalEpoch, 0)
 			BeforeEach(func() {
 				testClock.Set(now)
 			})
 			It("mocks After", func() {
 				var after int32
 				ready := make(chan struct{})
 				ch := testClock.After(10 * time.Second)
 				go func(ch <-chan time.Time) {
 					close(ready)
 					<-ch
 					atomic.StoreInt32(&after, 1)
 				}(ch)
 				<-ready
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(1)))
 			})
 			It("mocks AfterFunc", func() {
 				var after int32
 				testClock.AfterFunc(10*time.Second, func() {
 					atomic.StoreInt32(&after, 1)
 				})
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(1)))
 			})
 			It("mocks AfterFunc with a stopped timer", func() {
 				var after int32
 				timer := testClock.AfterFunc(10*time.Second, func() {
 					atomic.StoreInt32(&after, 1)
 				})
 				timer.Stop()
 				err := testClock.Add(11 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(0)))
 			})
 			It("mocks Now", func() {
 				Expect(testClock.Now()).To(Equal(now))
 				err := testClock.Add(123 * time.Hour)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(testClock.Now()).To(Equal(now.Add(123 * time.Hour)))
 			})
 			It("mocks Since", func() {
 				Expect(testClock.Since(time.Unix(testLocalEpoch-100, 0))).
 					To(Equal(100 * time.Second))
 			})
 			It("mocks Sleep", func() {
 				var after int32
 				ready := make(chan struct{})
 				go func() {
 					close(ready)
 					testClock.Sleep(10 * time.Second)
 					atomic.StoreInt32(&after, 1)
 				}()
 				<-ready
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(1)))
 			})
 			It("mocks Tick", func() {
 				var ticks int32
 				ready := make(chan struct{})
 				go func() {
 					close(ready)
 					tick := testClock.Tick(10 * time.Second)
 					for ticks < 5 {
 						<-tick
 						atomic.AddInt32(&ticks, 1)
 					}
 				}()
 				<-ready
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(0)))
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(1)))
 				err = testClock.Add(30 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(4)))
 				err = testClock.Add(10 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(5)))
 			})
 			It("mocks Ticker", func() {
 				var ticks int32
 				ready := make(chan struct{})
 				go func() {
 					ticker := testClock.Ticker(10 * time.Second)
 					close(ready)
 					for ticks < 5 {
 						<-ticker.C
 						atomic.AddInt32(&ticks, 1)
 					}
 				}()
 				<-ready
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(0)))
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(1)))
 				err = testClock.Add(30 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(4)))
 				err = testClock.Add(10 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&ticks)).To(Equal(int32(5)))
 			})
 			It("mocks Timer", func() {
 				var after int32
 				ready := make(chan struct{})
 				go func() {
 					timer := testClock.Timer(10 * time.Second)
 					close(ready)
 					<-timer.C
 					atomic.AddInt32(&after, 1)
 				}()
 				<-ready
 				err := testClock.Add(9 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(0)))
 				err = testClock.Add(1 * time.Second)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(atomic.LoadInt32(&after)).To(Equal(int32(1)))
 			})
 		})
 	})
 	Context("Global time overridden", func() {
 		var (
 			globalNow = time.Unix(testGlobalEpoch, 0)
 			localNow  = time.Unix(testLocalEpoch, 0)
 		)
 		BeforeEach(func() {
 			clock.Set(globalNow)
 		})
 		Context("Clock not mocked via Set", func() {
 			It("uses globally mocked Now", func() {
 				Expect(testClock.Now()).To(Equal(globalNow))
 				err := clock.Add(123 * time.Hour)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(testClock.Now()).To(Equal(globalNow.Add(123 * time.Hour)))
 			})
 			It("errors when Add is called on the local Clock", func() {
 				err := testClock.Add(100 * time.Hour)
 				Expect(err).To(HaveOccurred())
 			})
 		})
 		Context("Clock is mocked via Set", func() {
 			BeforeEach(func() {
 				testClock.Set(localNow)
 			})
 			It("uses the local mock and ignores the global", func() {
 				Expect(testClock.Now()).To(Equal(localNow))
 				err := clock.Add(456 * time.Hour)
 				Expect(err).ToNot(HaveOccurred())
 				err = testClock.Add(123 * time.Hour)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(testClock.Now()).To(Equal(localNow.Add(123 * time.Hour)))
 			})
 		})
 	})
 })
--- a/pkg/cookies/csrf.go
+++ b/pkg/cookies/csrf.go
@ -10,7 +10,6 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption"
 	"github.com/vmihailenco/msgpack/v5"
 )
@ -47,7 +46,7 @@ type csrf struct {
 	CodeVerifier string `msgpack:"cv,omitempty"`
 	cookieOpts *options.Cookie
-	time       clock.Clock
+	clock      func() time.Time
 }
 // csrtStateTrim will indicate the length of the state trimmed for the name of the csrf cookie
@ -70,6 +69,7 @@ func NewCSRF(opts *options.Cookie, codeVerifier string) (CSRF, error) {
 		CodeVerifier: codeVerifier,
 		cookieOpts: opts,
 		clock:      time.Now,
 	}, nil
 }
@ -187,7 +187,7 @@ func ClearExtraCsrfCookies(opts *options.Cookie, rw http.ResponseWriter, req *ht
 	// delete the X oldest cookies
 	slices.SortStableFunc(decodedCookies, func(a, b *csrf) int {
-		return a.time.Now().Compare(b.time.Now())
+		return a.clock().Compare(b.clock())
 	})
 	for i := 0; i < len(decodedCookies)-opts.CSRFPerRequestLimit; i++ {
@ -223,7 +223,7 @@ func (c *csrf) encodeCookie() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("error getting cookie secret: %v", err)
 	}
-	return encryption.SignedValue(secret, c.cookieName(), encrypted, c.time.Now())
+	return encryption.SignedValue(secret, c.cookieName(), encrypted, c.clock())
 }
 // decodeCSRFCookie validates the signature then decrypts and decodes a CSRF
@ -249,10 +249,10 @@ func decodeCSRFCookie(cookie *http.Cookie, opts *options.Cookie) (*csrf, error)
 // unmarshalCSRF unmarshals decrypted data into a CSRF struct
 func unmarshalCSRF(decrypted []byte, opts *options.Cookie, csrfTime time.Time) (*csrf, error) {
-	clock := clock.Clock{}
+	csrf := &csrf{
-	clock.Set(csrfTime)
+		cookieOpts: opts,
-
+		clock:      func() time.Time { return csrfTime },
-	csrf := &csrf{cookieOpts: opts, time: clock}
+	}
 	if err := msgpack.Unmarshal(decrypted, csrf); err != nil {
 		return nil, fmt.Errorf("error unmarshalling data to CSRF: %v", err)
 	}
--- a/pkg/cookies/csrf_per_request_test.go
+++ b/pkg/cookies/csrf_per_request_test.go
@ -128,7 +128,7 @@ var _ = Describe("CSRF Cookie with non-fixed name Tests", func() {
 		testNow := time.Unix(nowEpoch, 0)
 		BeforeEach(func() {
-			privateCSRF.time.Set(testNow)
+			privateCSRF.clock = func() time.Time { return testNow }
 			req = &http.Request{
 				Method: http.MethodGet,
@ -144,7 +144,7 @@ var _ = Describe("CSRF Cookie with non-fixed name Tests", func() {
 		})
 		AfterEach(func() {
-			privateCSRF.time.Reset()
+			privateCSRF.clock = time.Now
 		})
 		Context("SetCookie", func() {
@ -200,17 +200,17 @@ var _ = Describe("CSRF Cookie with non-fixed name Tests", func() {
 				publicCSRF1, err := NewCSRF(cookieOpts, "verifier")
 				Expect(err).ToNot(HaveOccurred())
 				privateCSRF1 := publicCSRF1.(*csrf)
-				privateCSRF1.time.Set(testNow)
+				privateCSRF1.clock = func() time.Time { return testNow }
 				publicCSRF2, err := NewCSRF(cookieOpts, "verifier")
 				Expect(err).ToNot(HaveOccurred())
 				privateCSRF2 := publicCSRF2.(*csrf)
-				privateCSRF2.time.Set(testNow.Add(time.Minute))
+				privateCSRF2.clock = func() time.Time { return testNow.Add(time.Minute) }
 				publicCSRF3, err := NewCSRF(cookieOpts, "verifier")
 				Expect(err).ToNot(HaveOccurred())
 				privateCSRF3 := publicCSRF3.(*csrf)
-				privateCSRF3.time.Set(testNow.Add(time.Minute * 2))
+				privateCSRF3.clock = func() time.Time { return testNow.Add(time.Minute * 2) }
 				cookies := []string{}
 				for _, csrf := range []*csrf{privateCSRF1, privateCSRF2, privateCSRF3} {
--- a/pkg/cookies/csrf_test.go
+++ b/pkg/cookies/csrf_test.go
@ -130,7 +130,7 @@ var _ = Describe("CSRF Cookie Tests", func() {
 		testNow := time.Unix(nowEpoch, 0)
 		BeforeEach(func() {
-			privateCSRF.time.Set(testNow)
+			privateCSRF.clock = func() time.Time { return testNow }
 			req = &http.Request{
 				Method: http.MethodGet,
@ -146,7 +146,7 @@ var _ = Describe("CSRF Cookie Tests", func() {
 		})
 		AfterEach(func() {
-			privateCSRF.time.Reset()
+			privateCSRF.clock = time.Now
 		})
 		Context("SetCookie", func() {
@ -173,7 +173,7 @@ var _ = Describe("CSRF Cookie Tests", func() {
 		Context("LoadCSRFCookie", func() {
 			BeforeEach(func() {
 				// we need to reset the time to ensure the cookie is valid
-				privateCSRF.time.Reset()
+				privateCSRF.clock = time.Now
 			})
 			It("should return error when no cookie is set", func() {
--- a/pkg/middleware/stored_session_test.go
+++ b/pkg/middleware/stored_session_test.go
@ -11,7 +11,6 @@ import (
 	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
 	sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/clock"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/providers"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@ -95,6 +94,7 @@ var _ = Describe("Stored Session Suite", func() {
 		now := time.Now()
 		createdPast := now.Add(-5 * time.Minute)
 		createdFuture := now.Add(5 * time.Minute)
 		clock := func() time.Time { return now }
 		var defaultRefreshFunc = func(_ context.Context, ss *sessionsapi.SessionState) (bool, error) {
 			switch ss.RefreshToken {
@ -120,6 +120,7 @@ var _ = Describe("Stored Session Suite", func() {
 						RefreshToken: noRefresh,
 						CreatedAt:    &createdPast,
 						ExpiresOn:    &createdFuture,
 						Clock:        clock,
 					}, nil
 				case "_oauth2_proxy=InvalidNoRefreshSession":
 					return &sessionsapi.SessionState{
@ -127,24 +128,28 @@ var _ = Describe("Stored Session Suite", func() {
 						RefreshToken: noRefresh,
 						CreatedAt:    &createdPast,
 						ExpiresOn:    &createdFuture,
 						Clock:        clock,
 					}, nil
 				case "_oauth2_proxy=ExpiredNoRefreshSession":
 					return &sessionsapi.SessionState{
 						RefreshToken: noRefresh,
 						CreatedAt:    &createdPast,
 						ExpiresOn:    &createdPast,
 						Clock:        clock,
 					}, nil
 				case "_oauth2_proxy=RefreshSession":
 					return &sessionsapi.SessionState{
 						RefreshToken: refresh,
 						CreatedAt:    &createdPast,
 						ExpiresOn:    &createdFuture,
 						Clock:        clock,
 					}, nil
 				case "_oauth2_proxy=RefreshError":
 					return &sessionsapi.SessionState{
 						RefreshToken: "RefreshError",
 						CreatedAt:    &createdPast,
 						ExpiresOn:    &createdFuture,
 						Clock:        clock,
 					}, nil
 				case "_oauth2_proxy=NonExistent":
 					return nil, fmt.Errorf("invalid cookie")
@ -154,14 +159,6 @@ var _ = Describe("Stored Session Suite", func() {
 			},
 		}
 		BeforeEach(func() {
 			clock.Set(now)
 		})
 		AfterEach(func() {
 			clock.Reset()
 		})
 		type storedSessionLoaderTableInput struct {
 			requestHeaders  http.Header
 			existingSession *sessionsapi.SessionState
@ -200,7 +197,15 @@ var _ = Describe("Stored Session Suite", func() {
 				}))
 				handler.ServeHTTP(rw, req)
-				Expect(gotSession).To(Equal(in.expectedSession))
+				// Compare, ignoring testing Clock.
 				if in.expectedSession == nil {
 					Expect(gotSession).To(BeNil())
 					return
 				}
 				Expect(gotSession).ToNot(BeNil())
 				got := *gotSession
 				got.Clock = nil
 				Expect(&got).To(Equal(in.expectedSession))
 			},
 			Entry("with no cookie", storedSessionLoaderTableInput{
 				requestHeaders:  http.Header{},
--- a/pkg/sessions/persistence/ticket.go
+++ b/pkg/sessions/persistence/ticket.go
@ -233,12 +233,17 @@ func (t *ticket) clearCookie(rw http.ResponseWriter, req *http.Request) {
 // makeCookie makes a cookie, signing the value if present
 func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
 	if value != "" {
-		var err error
+		secret, err := t.options.GetSecret()
 		value, err = encryption.SignedValue(t.options.Secret, t.options.Name, []byte(value), now)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("retrieving secret failed: %w", err)
 		}
 		value, err = encryption.SignedValue(secret, t.options.Name, []byte(value), now)
 		if err != nil {
 			return nil, fmt.Errorf("signing cookie value failed: %w", err)
 		}
 	}
 	return cookies.MakeCookieFromOptions(
 		req,
 		t.options.Name,
--- a/pkg/sessions/tests/session_store_tests.go
+++ b/pkg/sessions/tests/session_store_tests.go
@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"strconv"
 	"strings"
 	"time"
@ -133,6 +134,42 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
 		Context("with cookie secret file", func() {
 			var tmpfile *os.File
 			var err error
 			BeforeEach(func() {
 				tmpfile, err = os.CreateTemp("", "cookie-secret-test")
 				secretBytes := make([]byte, 32)
 				tmpfile.Write(secretBytes)
 				tmpfile.Close()
 				input.cookieOpts = &options.Cookie{
 					Name:       "_oauth2_proxy_file",
 					Path:       "/",
 					Expire:     time.Duration(168) * time.Hour,
 					Refresh:    time.Duration(1) * time.Hour,
 					Secure:     true,
 					HTTPOnly:   true,
 					SameSite:   "",
 					Secret:     "",
 					SecretFile: tmpfile.Name(),
 				}
 				ss, err = newSS(opts, input.cookieOpts)
 				Expect(err).ToNot(HaveOccurred())
 			})
 			AfterEach(func() {
 				if tmpfile != nil {
 					os.Remove(tmpfile.Name())
 				}
 			})
 			SessionStoreInterfaceTests(&input)
 			if persistentFastForward != nil {
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
 	})
 }
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -17,8 +17,9 @@ func TestRefresh(t *testing.T) {
 	now := time.Unix(1234567890, 10)
 	expires := time.Unix(1234567890, 0)
-	ss := &sessions.SessionState{}
+	ss := &sessions.SessionState{
-	ss.Clock.Set(now)
+		Clock: func() time.Time { return now },
 	}
 	ss.SetExpiresOn(expires)
 	refreshed, err := p.RefreshSession(context.Background(), ss)
Author	SHA1	Message	Date
renovate[bot]	55e136e2ab	chore(deps): update gomod	2025-10-28 09:06:01 +00:00
David Symonds	110d51d1d7	test: replace mock pkg/clock with narrowly targeted stub clocks. (#3238 ) The package under pkg/clock is github.com/benbjohnson/clock, which is archived. It's also way more complex than is what is actually needed here, so we can entirely remove the dependency and remove the helper package. Fixes #2840. Signed-off-by: David Symonds <dsymonds@gmail.com>	2025-10-28 10:05:02 +01:00
Jan Larwig	8f687e4d0c	chore(deps): upgrade to latest go1.25.3 (#3244 ) Signed-off-by: Jan Larwig <jan@larwig.com>	2025-10-28 09:54:10 +01:00
Olivier Mengué	f950dc9942	feat(makefile): simplify validate-go-version (#3147 ) Since Go 1.21 the go toolchain validates strictly the "go" version directive in go.mod, and downloads and uses the requested toolchain if necessary. See https://go.dev/doc/toolchain So we can just run "go list" to tell the Go toolchain to validate our build environment according to go.mod. To extract the "go" directive version from go.mod (used to select the Docker build image) we also use "go list".	2025-10-28 09:13:35 +01:00
Schmitt Paul	31b275f580	docs: clarify ingress-nginx integration and remove Lua block example (#3202 ) * docs: clarify ingress-nginx integration and remove Lua block example for oauth2-proxy This PR revises the integration guide for oauth2-proxy with ingress-nginx in Kubernetes: Recommends the minimal configuration: just auth-url and auth-signin annotations. Removes the Lua block example, as it did not work in practice despite following nginx documentation and extensive testing. Clearly states that the official ingress-nginx external auth example is the recommended approach for most users. Notes that advanced Lua/cookie handling is only needed for rare, advanced scenarios. Signed-off-by: Jan Larwig <jan@larwig.com> * doc: update 3 latest docs versions Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>	2025-10-28 08:48:23 +01:00
Vincent Privat	ea1dc3f606	Fix typo: diffrerent -> different (#3222 ) Signed-off-by: Vincent Privat <vincent.privat@airbus.com>	2025-10-28 08:40:51 +01:00
stagswtf	51e80f24ef	fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (#3228 ) * fix: use GetSecret() in ticket.go makeCookie The makeCookie method in ticket.go was using t.options.Secret directly, which meant cookie-secret-file was not being respected. Updated to use GetSecret() which handles both cookie-secret and cookie-secret-file properly. Also added test coverage for cookie-secret-file functionality. Fixes #3224 Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * docs: update CHANGELOG.md for cookie-secret-file fix Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * correct PR link and undo file formatting Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * fix: error wrapping Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>	2025-10-28 08:37:25 +01:00
renovate[bot]	c0a087d7f2	chore(deps): update actions/upload-artifact action to v5 (#3243 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 08:03:40 +01:00
renovate[bot]	4295f0c1f9	chore(deps): update dependency golangci/golangci-lint to v2.5.0 (#3212 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 08:00:27 +01:00
renovate[bot]	a50bbcd6f6	chore(deps): update docker-compose (#3188 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:53:29 +01:00
renovate[bot]	dea0d0cf44	chore(deps): update helmv3 (#3189 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:53:12 +01:00
renovate[bot]	e693f4070a	chore(deps): update actions/labeler action to v6 (#3190 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:43:22 +01:00
renovate[bot]	5539e59002	chore(deps): update actions/setup-go action to v6 (#3191 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:43:04 +01:00
renovate[bot]	65ef2ca3c9	chore(deps): update actions/stale action to v10 (#3193 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:42:13 +01:00
renovate[bot]	bccc988366	chore(deps): update actions/setup-node action to v6 (#3242 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:41:34 +01:00
renovate[bot]	a3349add54	chore(deps): update alpine docker tag to v3.22.2 (#3241 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-28 07:40:08 +01:00