use reusable workflows

.github/workflows/check-generated.yml

@@ -13,31 +13,7 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  check-go-generate:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      # Install any tools 'go generate' uses here
-
-      - name: Ensure 'go generate' is clean
-        run: |
-          # shellcheck disable=SC2046
-          go generate $(go list ./...)
-          echo
-          echo
-
-          if ! git diff --name-only --exit-code; then
-            echo "The files above need updating. Please run 'go generate'."
-            exit 1
-          fi
+  check-generated:
+    permissions:
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/check-generated.yml@master

.github/workflows/codeql.yml

@@ -1,4 +1,4 @@
-name: CodeQL
+name: Run CodeQL
 
 on:
   push:
@@ -13,65 +13,9 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
+  codeql:
     permissions:
       actions: write
       contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: 
-          - go
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Exit is repository is private
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          PRIVATE="$(gh repo view ${{ github.repository }} --json isPrivate -q .isPrivate)"
-          if [[ $PRIVATE == true ]]; then
-            echo "Canceling CodeL run as this repository is private and CodeQL is a paid feature for private repositories."
-            echo "Remove this step if you have enabled CodeQL in a private repository."
-
-            gh run cancel ${{ github.run_id }}
-            gh run watch ${{ github.run_id }}
-          fi
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: ${{ matrix.language }}
-
-      # TODO: remove once https://github.com/github/codeql/issues/13992 is fixed
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-        with:
-          category: "/language:${{matrix.language}}"
+    uses: capnspacehook/go-workflows/.github/workflows/codeql.yml@master

.github/workflows/lint-actions.yml

@@ -1,30 +1,14 @@
 name: Lint workflows
 
 on:
-  pull_request:
+  push:
     paths:
       - ".github/workflows/*"
 
   workflow_dispatch: {}
 
 jobs:
   lint-workflows:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      - name: Lint workflow files
-        run: |
-          echo "::add-matcher::.github/actionlint-matcher.json"
-          go install github.com/rhysd/actionlint/cmd/actionlint@latest
-          actionlint
+    permissions:
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/lint-actions.yml@master

.github/workflows/lint-docker.yml

@@ -1,21 +1,14 @@
 name: Lint Dockerfile
 
 on:
-  pull_request:
+  push:
     paths:
       - Dockerfile
 
   workflow_dispatch: {}
 
 jobs:
   lint-dockerfile:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Lint Dockerfile
-        uses: hadolint/hadolint-action@v3.1.0
-        with:
-          dockerfile: Dockerfile
+    permissions:
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/lint-docker.yml@master

.github/workflows/lint-go.yml

@@ -11,65 +11,7 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  check-mod-tidy:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      - name: Ensure go.mod was tidied
-        run: |
-          GO_VERSION="$(go version | grep -Po '\d\.\d\d\.\d+')"
-          go mod tidy -compat "${GO_VERSION}"
-          STATUS=$(git status --porcelain go.mod go.sum)
-          if [ -n "$STATUS" ]; then
-            echo "Running 'go mod tidy' modified go.mod and/or go.sum"
-            exit 1
-          fi
-          exit 0
-
-  staticcheck:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      - name: Lint with staticcheck
-        uses: dominikh/staticcheck-action@v1.3.0
-        with:
-          install-go: false
-
-  golangci-lint:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
+  lint-go:
     permissions:
       contents: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Lint with golangci-lint
-        uses: golangci/golangci-lint-action@v3.7.0
+    uses: capnspacehook/go-workflows/.github/workflows/lint-go.yml@master

.github/workflows/release.yml

@@ -8,114 +8,9 @@ on:
       - "v*.*.*"
 
 jobs:
-  release-binary:
-    runs-on: ubuntu-latest
-    if: github.ref_type == 'tag'
-    timeout-minutes: 15
+  release:
     permissions:
       id-token: write
       contents: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Checkout tags
-        run: git fetch --force --tags
-
-      - name: Install Go
-        uses: WillAbides/setup-go-faster@v1.11.0
-        with:
-          go-version-file: go.mod
-
-      - name: Cache Go files
-        uses: capnspacehook/cache-go@v1
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-
-      - name: Build and release with goreleaser
-        uses: goreleaser/goreleaser-action@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release
-
-  release-image:
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-      id-token: write
       packages: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-
-      - name: Install Docker buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build list of Docker tags to use
-        id: tag-types
-        run: |
-          if [[ ${{ contains(github.ref, 'tag') }} == true ]]; then
-            TAGS="
-            type=semver,pattern={{major}},priority=920
-            type=semver,pattern={{major}}.{{minor}},priority=910
-            type=semver,pattern={{version}},priority=900
-            type=ref,event=branch
-            type=sha,format=long"
-          else
-            TAGS="
-            type=ref,event=branch
-            type=sha,format=long"
-          fi
-
-          # https://trstringer.com/github-actions-multiline-strings
-          {
-            echo "TAGS<<EOF"
-            echo "$TAGS"
-            echo "EOF"
-          } >> "$GITHUB_ENV"
-
-      - name: Set Docker labels and tags
-        id: metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          flavor: |
-            latest=true
-          tags: ${{ env.TAGS }}
-
-      - name: Login to container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get latest git tag
-        id: get-tag
-        uses: olegtarasov/get-tag@v2.1
-
-      - name: Build and push Docker image
-        id: build-push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          build-args: |
-            VERSION=${{ steps.get-tag.outputs.tag }}
-          tags: ${{ steps.metadata.outputs.tags }}
-          labels: ${{ steps.metadata.outputs.labels }}
-
-      - name: Sign container image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }}
+    uses: capnspacehook/go-workflows/.github/workflows/release.yml@master