Rebase on 1.22.3

[bwesterb]

$ git range-diff go1.22.2..cf/cf go1.22.3..bas/1.22.3
 1:  7e53e51c32 =  1:  af8fc923c7 Add README (#158)
 2:  6bf5772505 <  -:  ---------- VERSION: add cf tag
 -:  ---------- >  2:  89b10478f1 VERSION: add cf tag
 3:  10d5b0498d =  3:  388346625b cmd/go/internal/imports, go/build: add cfgo build tag
 4:  54962442d8 =  4:  0255b16668 .github: add docker-compose.yaml and GitHub Action for CI
 5:  60fb640068 =  5:  780d87a515 .github: replace upstream templates and CODE_OF_CONDUCT.md
 6:  d5e212e3f1 =  6:  984ce830ff cmd/api: ignore CF-specific API changes
 7:  ba839d109a =  7:  f3e397882b go/build: don't check dependencies of vendored circl library
 8:  ee0634e688 =  8:  90c2068e80 crypto/tls: expose inter-handshake timing via CFEventHandlerContextKey
 9:  de64e8e99c !  9:  31ac0b40ff crypto/tls: Add hybrid post-quantum key agreements
    @@ src/go.mod: module std
      require (
     +	github.com/cloudflare/circl v1.3.8-0.20240208083452-454cfdc0f6c7
      	golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb
    - 	golang.org/x/net v0.19.1-0.20240327214321-ae3c50b55fdf
    + 	golang.org/x/net v0.19.1-0.20240412193750-db050b07227e
      )
     
      ## src/go.sum ##
    @@ src/go.sum
     +github.com/cloudflare/circl v1.3.8-0.20240208083452-454cfdc0f6c7/go.mod h1:uAwUTm6m3uQF5fuJKR6LvFqgxn2wyID+kF6KJAUcZl8=
      golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb h1:1ceSY7sk6sJuiDREHpfyrqDnDljsLfEP2GuTClhBBfI=
      golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
    - golang.org/x/net v0.19.1-0.20240327214321-ae3c50b55fdf h1:zcMReZfxLPmppTre5oSNPSOgoTRtOplx+QV25LkyAto=
    + golang.org/x/net v0.19.1-0.20240412193750-db050b07227e h1:oDnvqaqHo3ho8OChMtkQbQAyp9eqnm3J7JRtt0+Cabc=
     
      ## src/vendor/github.com/cloudflare/circl/LICENSE (new) ##
     @@
10:  dc424101b3 = 10:  552025d0d3 crypto: add support for CIRCL signature schemes
11:  3dcd547e63 = 11:  0f29be7081 crypto/tls: implement draft-ietf-tls-subcerts-10
12:  edf48d6a04 = 12:  078fccf4be crypto/tls: implement draft-ietf-tls-esni-13
13:  2bd56d5c49 = 13:  feb3369929 Set GOTOOLCHAIN to local to prevent auto-download of new Go
14:  cacfd80e42 = 14:  18e16ce412 Add tls.Config.ClientCurveGuess to allow specifying which keyshares to send
15:  b55f20d748 = 15:  26b33f8160 Use server's preferred key agreement
16:  ec0a014545 = 16:  048a67333e Add dummy key agreement with codepoint 0xfe33 (#162)

[Lekensteyn]

LGTM.

While at it, do you mind updating the following crypto/tls/ files to use testingKey(`-----BEGIN EC TESTING KEY-----? The secret scanning service is complaining about it:

src/crypto/tls/delegated_credentials_test.go:36:var delegatorKeyPEMP256 = `-----BEGIN EC PRIVATE KEY-----
src/crypto/tls/delegated_credentials_test.go:59:var delegatorKeyPEMP384 = `-----BEGIN EC PRIVATE KEY-----
src/crypto/tls/delegated_credentials_test.go:84:var delegatorKeyPEMP521 = `-----BEGIN EC PRIVATE KEY-----
src/crypto/tls/delegated_credentials_test.go:107:var delegatorKeyPEMEd25519 = `-----BEGIN EC PRIVATE KEY-----
src/crypto/tls/delegated_credentials_test.go:124:var nonDelegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----
src/crypto/tls/ech_test.go:61:-----BEGIN PRIVATE KEY-----
src/crypto/tls/ech_test.go:86:-----BEGIN PRIVATE KEY-----

[gitguardian]

⚠️ GitGuardian has uncovered 7 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
10835424	Triggered	Elliptic Curve Private Key	c177cdc	src/crypto/tls/delegated_credentials_test.go	View secret
10835425	Triggered	Elliptic Curve Private Key	c177cdc	src/crypto/tls/delegated_credentials_test.go	View secret
10835426	Triggered	Elliptic Curve Private Key	c177cdc	src/crypto/tls/delegated_credentials_test.go	View secret
10835427	Triggered	Generic Private Key	c177cdc	src/crypto/tls/ech_test.go	View secret
10835428	Triggered	Elliptic Curve Private Key	c177cdc	src/crypto/tls/delegated_credentials_test.go	View secret
10835429	Triggered	Generic Private Key	c177cdc	src/crypto/tls/ech_test.go	View secret
10835430	Triggered	Elliptic Curve Private Key	c177cdc	src/crypto/tls/delegated_credentials_test.go	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[bwesterb]

This breaks tests.

failed to find PEM block with type ending in "PRIVATE KEY"