use reusable workflows

.github/workflows/codeql.yml

@@ -0,0 +1,21 @@
+name: Run CodeQL
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - "*"
+  schedule:
+    - cron: "00 13 * * 1"
+
+  workflow_dispatch: {}
+
+jobs:
+  codeql:
+    permissions:
+      actions: write
+      contents: read
+      security-events: write
+    uses: capnspacehook/go-workflows/.github/workflows/codeql.yml@master

.github/workflows/lint-actions.yml

@@ -9,25 +9,6 @@ on:
 
 jobs:
   lint-workflows:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Lint workflow files
-        run: |
-          echo "::add-matcher::.github/actionlint-matcher.json"
-          go install github.com/rhysd/actionlint/cmd/actionlint@latest
-          actionlint
+    permissions:
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/lint-actions.yml@master

.github/workflows/lint-go.yml

@@ -11,78 +11,7 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  check-mod-tidy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Ensure go.mod was tidied
-        run: |
-          go mod tidy -compat ${{ env.GO_VERSION }}
-          STATUS=$(git status --porcelain go.mod go.sum)
-          if [ -n "$STATUS" ]; then
-            echo "Running go mod tidy modified go.mod and/or go.sum"
-            exit 1
-          fi
-          exit 0
-
-  staticcheck:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Lint with staticcheck
-        uses: dominikh/staticcheck-action@v1.3.0
-        with:
-          install-go: false
-
-  golangci-lint:
-    runs-on: ubuntu-latest
+  lint-go:
     permissions:
-      pull-requests: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Lint with golangci-lint
-        uses: golangci/golangci-lint-action@v3.7.0
-        with:
-          only-new-issues: true
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/lint-go.yml@master

.github/workflows/release.yml

@@ -8,41 +8,11 @@ on:
       - "v*.*.*"
 
 jobs:
-  release-binary:
-    runs-on: ubuntu-latest
-    if: github.ref_type == 'tag'
+  release:
     permissions:
       id-token: write
       contents: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Checkout tags
-        run: git fetch --force --tags
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-
-      - name: Build and release with goreleaser
-        uses: goreleaser/goreleaser-action@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release
+      packages: write
+    uses: capnspacehook/go-workflows/.github/workflows/release.yml@master
+    with:
+      release-image: false

.github/workflows/test.yml

@@ -13,21 +13,18 @@ on:
 jobs:
   race-test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: WillAbides/setup-go-faster@v1.11.0
         with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
+          go-version-file: go.mod
+
+      - name: Cache Go files
+        uses: capnspacehook/cache-go@v1
 
       - name: Ensure main package builds
         run: |
@@ -41,21 +38,18 @@ jobs:
 
   binary-test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: WillAbides/setup-go-faster@v1.11.0
         with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
+          go-version-file: go.mod
+
+      - name: Cache Go files
+        uses: capnspacehook/cache-go@v1
 
       # run the same tests as above but use a binary to process packets
       # to test with landlock and seccomp filters active
@@ -68,21 +62,18 @@ jobs:
 
   fuzz:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: WillAbides/setup-go-faster@v1.11.0
         with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
+          go-version-file: go.mod
+
+      - name: Cache Go files
+        uses: capnspacehook/cache-go@v1
 
       - run: |
           go test -fuzz Fuzz -run Config -fuzztime 10m

.github/workflows/vuln.yml

@@ -7,29 +7,13 @@ on:
   pull_request:
     branches:
       - "*"
+  schedule:
+    - cron: "00 13 * * 1"
 
   workflow_dispatch: {}
 
 jobs:
-  govulncheck:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Export constant environmental variables
-        uses: cardinalby/export-env-action@v2
-        with:
-          envFile: .github/workflows/constants.env
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - name: Scan for known vulnerable dependencies
-        run: |
-          go install golang.org/x/vuln/cmd/govulncheck@latest
-          govulncheck -v ./...
+  vuln-check:
+    permissions:
+      contents: read
+    uses: capnspacehook/go-workflows/.github/workflows/vuln.yml@master