chore: use reusable workflows

.github/workflows/main.yaml

@@ -11,22 +11,18 @@ jobs:
     name: ⚙️ setup
     runs-on: ubuntu-latest
     outputs:
-      image_tag: ${{ steps.vars.outputs.image-tag }}
+      image_tag: ${{ github.run_number }}-${{ steps.shortsha.outputs.short-sha }}
+      image_repo: ${{ env.IMAGE_REPO }}
+      app_name: ${{ env.APP_NAME }}
     steps:
-      - id: vars
-        run: |
-          SHORT_SHA="${GITHUB_SHA:0:8}"
-          echo "image-tag=${{ github.run_number }}-${SHORT_SHA}" >> $GITHUB_OUTPUT
+      - id: shortsha
+        uses: metal-toolbox/ci-toolbox/actions/short-sha@v0.0.1
 
   lint: 
     name: 📎 lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version-file: 'go.mod'
-      - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #v9.2.0
+      - uses: metal-toolbox/ci-toolbox/actions/golangci-lint@v0.0.1
 
   test:
     name: 🧪 test
@@ -56,117 +52,51 @@ jobs:
   build-go:
     name: 🏗️ build go
     runs-on: ubuntu-latest
-    needs:
-      - lint
-      - test
     env:
       CGO_ENABLED: 0
       GOOS: linux
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version-file: 'go.mod'
+      - uses: metal-toolbox/ci-toolbox/actions/setup-go@v0.0.1
       - name: build
         run: go build -buildvcs=false -mod=mod -a -o bin/${{ env.APP_NAME }}
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ env.APP_NAME }}-bin
           path: bin/${{ env.APP_NAME }}
+    outputs:
+      artifact-name: ${{ env.APP_NAME }}-bin
 
   build-docker:
     name: 🐳 build and publish docker image
-    runs-on: ubuntu-latest
     needs:
+      - lint
+      - test
       - build-go
       - setup
     permissions:
       contents: write
       id-token: write
       packages: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: sigstore/cosign-installer@v4.0.0
-      - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
-        id: meta
-        with:
-          images: ${{ env.IMAGE_REPO }}
-      - name: login GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-        with:
-          name: ${{ env.APP_NAME }}-bin
-          path: bin
-      - name: build and push
-        id: build-push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          push: ${{ github.ref == 'refs/heads/main' }}
-          load: true
-          file: Dockerfile
-          build-args: BIN=bin/${{ env.APP_NAME }}
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: |
-            ${{ steps.meta.outputs.tags }}
-            ${{ env.IMAGE_REPO }}:${{ needs.setup.outputs.image_tag }}
-      - name: Save image as tar for scanning
-        run: docker save ${{ env.IMAGE_REPO }}:${{ needs.setup.outputs.image_tag }} -o image.tar
-      - name: Upload image artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        with:
-          name: docker-image
-          path: image.tar
-          retention-days: 1
-      - name: sign image
-        if: github.ref == 'refs/heads/main'
-        run: cosign sign --yes ${{ env.IMAGE_REPO }}@${{ steps.build-push.outputs.digest }}
+    uses: metal-toolbox/ci-toolbox/.github/workflows/build-docker.yaml@v0.0.1
+    with:
+      artifact-name: ${{ needs.build-go.outputs.artifact-name }}
+      artifact-path: bin
+      user: ${{ github.actor }}
+      image-repo: ${{ needs.setup.outputs.image_repo }}
+      image-tag: ${{ needs.setup.outputs.image_tag }}
+      build-args: |
+        BIN=bin/${{ needs.setup.outputs.app_name }}
+    secrets: inherit
 
   trivy-scan:
     name: 🔍 scan image
-    runs-on: ubuntu-latest
     needs:
       - build-docker
       - setup
     permissions:
       contents: read
       security-events: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Download image artifact
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-        with:
-          name: docker-image
-          path: .
-      - name: full scan with Trivy
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
-        env:
-          TRIVY_DEBUG: true
-        with:
-          input: 'image.tar'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '0'
-      - name: fail with high critical
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
-        with:
-          input: 'image.tar'
-          format: 'table'
-          severity: 'HIGH,CRITICAL'
-          output: 'trivy-high-results.txt'
-          exit-code: '1'
-      - name: job summary
-        run: |
-          # step summary
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          cat trivy-high-results.txt >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-      - name: Upload Trivy results to Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
-        with:
-          sarif_file: 'trivy-results.sarif'
+    uses: metal-toolbox/ci-toolbox/.github/workflows/trivy.yaml@v0.0.1
+    with:
+      scan-type: image
+      image-ref: ${{ needs.setup.outputs.image_repo }}:${{ needs.setup.outputs.image_tag }}

.github/workflows/openapi.yml → .github/workflows/openapi.yaml

@@ -20,11 +20,18 @@ jobs:
       - name: Bundle OpenAPI Spec
         run: |
           redocly bundle openapi/v1alpha1/openapi.yaml -o _site/openapi-bundle.yaml
+          redocly bundle openapi/v1alpha1/openapi.yaml -o _site/openapi-bundle.json
           redocly build-docs openapi/v1alpha1/openapi.yaml --title "Governor API" -o _site/index.html
       - name: Upload OpenAPI Bundle
         uses: actions/upload-pages-artifact@v4
         with:
           retention-days: 1
+      - name: Upload to Release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          files: |
+            _site/openapi-bundle.json
+            _site/openapi-bundle.yaml
 
   publish-pages:
     runs-on: ubuntu-latest