Fix conversion of static responses in upstreams

Use X-Forwarded-Host in Redirects

Prepare changelog for v6.1.0 release

Only log no cookie match if cookie domains specified

* dist.sh: remove go version from asset links

* update changelog

Create generic Authorization Header constructor

Ensure session times are not nil before printing them

Allow OIDC Bearer Tokens without emails

`findClaimsFromIDToken` would always have a `nil` access token and not be
able to hit the userinfo endpoint in Bearer case. If access token is nil,
default to legacy `session.Email = claim.Subject` that all JWT bearers used
to have, even if a valid profileURL is present.

This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.

Support Password & SentinelPassword in Redis session store

Add `x-oauth-basic` nosec annotation & address gosec unhandled errors

* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Address gosec findings

Any template errors instead of IO
errors are caught in validation.

Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.

Fix time issue causing finicky failures in logging tests

Fix typos and other minor edits

Add pull request events to CodeQL action

This will validate pull requests from forks to ensure that changes don't end up impacting you negatively.