feat(workflows): add shared Go lint, test, build, release, and e2e reusable workflows

.github/workflows/shared-e2e.yaml

@@ -0,0 +1,73 @@
+name: Shared E2E
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: "The runner to use for the job"
+        required: false
+        default: "ubuntu-latest"
+        type: string
+      greenhouse-ref:
+        description: "Ref (branch, tag, or SHA) of cloudoperators/greenhouse to deploy"
+        required: false
+        default: "main"
+        type: string
+      admin-k8s-version:
+        description: "Kubernetes node image tag for the admin KinD cluster (e.g. v1.31.0)"
+        required: true
+        type: string
+      remote-k8s-version:
+        description: "Kubernetes node image tag for the remote KinD cluster (e.g. v1.31.0)"
+        required: true
+        type: string
+      scenario:
+        description: "E2E scenario name passed to the composite action and make target"
+        required: true
+        type: string
+      test-target:
+        description: "The make target in the calling repo used to run e2e tests"
+        required: false
+        default: "e2e"
+        type: string
+      working-directory:
+        description: "Working directory for the make test target"
+        required: false
+        default: "."
+        type: string
+      environment:
+        description: "GitHub environment name to use for this job (optional)"
+        required: false
+        default: ""
+        type: string
+jobs:
+  e2e:
+    runs-on: ${{ inputs.runs-on }}
+    environment: ${{ inputs.environment != '' && inputs.environment || null }}
+    permissions:
+      contents: read
+    steps:
+      - name: Run Greenhouse E2E composite action
+        uses: cloudoperators/common/workflows/e2e@main
+        with:
+          admin-k8s-version: ${{ inputs.admin-k8s-version }}
+          remote-k8s-version: ${{ inputs.remote-k8s-version }}
+          scenario: ${{ inputs.scenario }}
+          ref: ${{ inputs.greenhouse-ref }}
+
+      - name: Checkout calling repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          path: caller
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version-file: caller/${{ inputs.working-directory != '.' && format('{0}/go.mod', inputs.working-directory) || 'go.mod' }}
+          cache: true
+
+      - name: Run e2e tests
+        working-directory: caller/${{ inputs.working-directory }}
+        env:
+          TEST_TARGET: ${{ inputs.test-target }}
+        run: make "$TEST_TARGET"

.github/workflows/shared-go-build.yaml

@@ -0,0 +1,114 @@
+name: Shared Go Build
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: "The runner to use for the job"
+        required: false
+        default: "ubuntu-latest"
+        type: string
+      working-directory:
+        description: "Working directory for the job"
+        required: false
+        default: "."
+        type: string
+      build-target:
+        description: "The make target to run for the build (e.g. build, build-all, docker-build)"
+        required: false
+        default: "build"
+        type: string
+      docker-build:
+        description: "Build and optionally push a Docker image after the Go build"
+        required: false
+        default: false
+        type: boolean
+      image-name:
+        description: "Full GHCR image name, e.g. ghcr.io/cloudoperators/myapp (must start with ghcr.io/ when push is true)"
+        required: false
+        default: ""
+        type: string
+      platforms:
+        description: "Comma-separated list of target platforms for the Docker image"
+        required: false
+        default: "linux/amd64,linux/arm64"
+        type: string
+      push:
+        description: "Push the built Docker image to the registry"
+        required: false
+        default: false
+        type: boolean
+    secrets:
+      registry-token:
+        description: "Token used to authenticate to the container registry when pushing"
+        required: false
+
+jobs:
+  build:
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+      packages: ${{ inputs.push == true && 'write' || 'read' }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version-file: ${{ format('{0}/go.mod', inputs.working-directory) }}
+          cache: true
+          cache-dependency-path: ${{ format('{0}/go.sum', inputs.working-directory) }}
+
+      - name: Build
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
+        run: make "$BUILD_TARGET"
+
+      - name: Validate docker-build inputs
+        if: inputs.docker-build == true
+        run: |
+          if [ -z "${{ inputs.image-name }}" ]; then
+            echo "ERROR: image-name is required when docker-build is true"
+            exit 1
+          fi
+          if [ "${{ inputs.push }}" = "true" ] && [[ "${{ inputs.image-name }}" != ghcr.io/* ]]; then
+            echo "ERROR: image-name must start with 'ghcr.io/' when push is true (got: '${{ inputs.image-name }}')"
+            exit 1
+          fi
+
+      - name: Set up QEMU
+        if: inputs.docker-build == true
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff9c25c0e60b9eba63c # v3
+
+      - name: Set up Docker Buildx
+        if: inputs.docker-build == true
+        uses: docker/setup-buildx-action@b5730b4fe97e6f9f14b9d7bb5f0f0b9f75a3b6ca # v3
+
+      - name: Log in to container registry
+        if: inputs.docker-build == true && inputs.push == true
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.registry-token != '' && secrets.registry-token || secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        if: inputs.docker-build == true
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbea8a63d9c1064e4b9e02685b72 # v5
+        with:
+          images: ${{ inputs.image-name }}
+
+      - name: Build and push Docker image
+        if: inputs.docker-build == true
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
+        with:
+          context: ${{ inputs.working-directory }}
+          platforms: ${{ inputs.platforms }}
+          push: ${{ inputs.push }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/shared-go-lint.yaml

@@ -0,0 +1,59 @@
+name: Shared Go Lint
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: "The runner to use for the job"
+        required: false
+        default: "ubuntu-latest"
+        type: string
+      golangci-lint-version:
+        description: "golangci-lint version to use"
+        required: false
+        default: "latest"
+        type: string
+      working-directory:
+        description: "Working directory for the job"
+        required: false
+        default: "."
+        type: string
+      enable-govulncheck:
+        description: "Run govulncheck in addition to golangci-lint"
+        required: false
+        default: false
+        type: boolean
+      govulncheck-version:
+        description: "Version of govulncheck to use (e.g. latest or v1.1.3)"
+        required: false
+        default: "latest"
+        type: string
+
+jobs:
+  lint:
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version-file: ${{ format('{0}/go.mod', inputs.working-directory) }}
+          cache: true
+          cache-dependency-path: ${{ format('{0}/go.sum', inputs.working-directory) }}
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        with:
+          version: ${{ inputs.golangci-lint-version }}
+          working-directory: ${{ inputs.working-directory }}
+
+      - name: Run govulncheck
+        if: inputs.enable-govulncheck == true
+        run: go run golang.org/x/vuln/cmd/govulncheck@${{ inputs.govulncheck-version }} ./...

.github/workflows/shared-go-test.yaml

@@ -0,0 +1,82 @@
+name: Shared Go Test
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: "The runner to use for the job"
+        required: false
+        default: "ubuntu-latest"
+        type: string
+      working-directory:
+        description: "Working directory for the job"
+        required: false
+        default: "."
+        type: string
+      test-target:
+        description: "The make target to run for tests"
+        required: false
+        default: "test"
+        type: string
+      upload-coverage:
+        description: "Upload coverage report as an artifact"
+        required: false
+        default: false
+        type: boolean
+      coverage-artifact-name:
+        description: "Name of the coverage artifact"
+        required: false
+        default: "code-coverage"
+        type: string
+      coverage-path:
+        description: "Path to the coverage output file"
+        required: false
+        default: "build/cover.out"
+        type: string
+      extra-env:
+        description: "Extra environment variables as newline-separated KEY=VALUE pairs"
+        required: false
+        default: ""
+        type: string
+
+jobs:
+  test:
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version-file: ${{ format('{0}/go.mod', inputs.working-directory) }}
+          cache: true
+          cache-dependency-path: ${{ format('{0}/go.sum', inputs.working-directory) }}
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Set extra environment variables
+        if: inputs.extra-env != ''
+        env:
+          EXTRA_ENV: ${{ inputs.extra-env }}
+        run: |
+          printf '%s\n' "$EXTRA_ENV" >> "$GITHUB_ENV"
+
+      - name: Run tests
+        env:
+          TEST_TARGET: ${{ inputs.test-target }}
+        run: make "$TEST_TARGET"
+
+      - name: Upload coverage report
+        if: inputs.upload-coverage == true
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: ${{ inputs.coverage-artifact-name }}
+          path: ${{ inputs.working-directory != '.' && format('{0}/{1}', inputs.working-directory, inputs.coverage-path) || inputs.coverage-path }}
+          if-no-files-found: warn