Move to github.com/go-jose/go-jose/v3

[jraddaoui]

Fixes a vulnerability reported in the unmantained version we were using.

Refs https://github.com/artefactual-sdps/enduro/security/dependabot/52.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 50.56%. Comparing base (6106009) to head (fc228df).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #948 +/- ## ========================================== - Coverage 50.60% 50.56% -0.04% ========================================== Files 101 101 Lines 5638 5638 ========================================== - Hits 2853 2851 -2 - Misses 2543 2544 +1 - Partials 242 243 +1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[jraddaoui]

I upgraded chainguard.dev/go-oidctest manually to be able to use github.com/go-jose/go-jose/v3 in the test, that probably upgraded the indirect dependency. I tried with github.com/go-jose/go-jose/v4, but I could not make it work easily. I'll give it another try ;)

[jraddaoui]

The signer created by oidctest.NewIssuer(t) is a v3 version, which can't be used with v4:

cannot use signer (variable of type "github.com/go-jose/go-jose/v3".Signer) as "github.com/go-jose/go-jose/v4".Signer value in argument to token: "github.com/go-jose/go-jose/v3".Signer does not implement "github.com/go-jose/go-jose/v4".Signer (wrong type for method Options)
        have Options() "github.com/go-jose/go-jose/v3".SignerOptions
        want Options() "github.com/go-jose/go-jose/v4".SignerOptionscompiler[InvalidIfaceAssign](https://pkg.go.dev/golang.org/x/tools/internal/typesinternal#InvalidIfaceAssign)

oidctest seems to be working with v3, but it also imports github.com/coreos/go-oidc/v3, which is the one indirectly importing v4: https://github.com/chainguard-dev/go-oidctest/blob/v0.3.1/go.mod.

I'd not worry about it @djjuhasz.