## ✨ Features

### External key store support for GitHub App JWTs
Added `NewApplicationTokenSourceFromSigner` which accepts any `crypto.Signer` with an RSA public key. Enables signing via AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit, PKCS#11 HSMs, or ssh-agent — the private key never touches process memory. Validates at construction that the signer's public key is `*rsa.PublicKey` (GitHub requires RS256).

```go
signer, _ := kms.NewSigner(ctx, keyID) // any crypto.Signer backed by RSA
ts, err := githubauth.NewApplicationTokenSourceFromSigner(appID, signer)
```

### Proactive token refresh with configurable skew
New `ReuseTokenSourceWithSkew` refreshes cached tokens when `time.Until(exp) <= skew` instead of waiting for expiry to pass. Closes the in-flight 401 window where a request starts shortly before expiry and reaches GitHub already expired.

`NewApplicationTokenSource` and `NewInstallationTokenSource` now wrap with `DefaultExpirySkew` (30s); tune via `WithExpirySkew` / `WithInstallationExpirySkew`. Zero/negative skew delegates to `oauth2.ReuseTokenSource` verbatim for backwards compatibility.

### Automatic retry on installation token throttling
`createInstallationToken` now performs a single automatic retry when GitHub returns `429`, or `403` with `Retry-After` / `X-RateLimit-Reset` headers. Sleep honors context cancellation and is capped at 60s. Terminal throttle errors wrap `ErrRateLimited` for `errors.Is` branching. Opt out via `WithRetryOnThrottle(false)`.

### New `webhook` subpackage
Added a `webhook` package for verifying GitHub webhook deliveries using constant-time HMAC-SHA256:

- `Verify(secret, body, signature)` with sentinel errors (`ErrMissingSignature`, `ErrInvalidSignatureFormat`, `ErrSignatureMismatch`) wrapped for `errors.Is` / `errors.As`.
- `Middleware(secret, opts...)` `net/http` middleware with body restoration, 25 MiB default cap, and 401/413 short-circuits.
- Functional options `WithMaxPayloadSize` and `WithErrorHandler`.
- Suitable for direct use in queue, Lambda, or Cloud Run consumers.

```go
http.Handle("/webhook", webhook.Middleware(secret)(handler))
```

## 📦 Dependencies
- Bump `golang.org/x/oauth2` from 0.34.0 → 0.36.0
- Bump `codecov/codecov-action` 5 → 6
- Bump `styfle/cancel-workflow-action` 0.13.0 → 0.13.1

## ⚠️ Breaking / Behavior Changes
- **Minimum Go version is now 1.25** (transitively required by `golang.org/x/oauth2` v0.36.0). README previously claimed 1.21; the actual floor is now enforced.
- Token sources refresh **30s before expiry** by default. Set skew to `0` via `WithExpirySkew(0)` / `WithInstallationExpirySkew(0)` to restore prior behavior.

**Full Changelog**: https://github.com/jferrl/go-githubauth/compare/v1.5.1...v1.6.0

## What's Changed
* chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/34
* chore(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/33
* chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/35
* chore(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/36
* chore(deps): bump actions/cache from 4 to 5 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/37
* chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/39
* chore(deps): bump styfle/cancel-workflow-action from 0.12.1 to 0.13.0 by @dependabot[bot] in https://github.com/jferrl/go-githubauth/pull/38
* Fix regression in github enterprise url handling #40 by @luna-veil-8080 in https://github.com/jferrl/go-githubauth/pull/41

## New Contributors
* @luna-veil-8080 made their first contribution in https://github.com/jferrl/go-githubauth/pull/41

**Full Changelog**: https://github.com/jferrl/go-githubauth/compare/v1.5.0...v1.5.1