ci: optimize CI/CD pipelines and workflows

- Refactor workflows to use composite actions for reusability
- Integrate security checks into PR pipeline
- Optimize cache handling and trigger conditions
- Update permissions and runner configurations
- Parallelize release post-build tasks
- Resolve SBOM upload warnings and Windows runner notices

Author: nicholas-fedor

.github/actions/actionlint/action.yml

@@ -0,0 +1,13 @@
+name: "Actionlint"
+description: "Lint GitHub Actions workflows"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download actionlint
+      id: get_actionlint
+      run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+      shell: bash
+    - name: Check workflow files
+      run: ${{ steps.get_actionlint.outputs.executable }} -color
+      shell: bash

.github/actions/checkout/action.yml

@@ -0,0 +1,15 @@
+name: "Checkout"
+description: "Checkout repository code"
+
+inputs:
+  fetch-depth:
+    description: "Number of commits to fetch"
+    required: false
+    default: "1"
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      with:
+        fetch-depth: ${{ inputs.fetch-depth }}

.github/actions/clean-cache/action.yml

@@ -0,0 +1,24 @@
+name: "Clean Cache"
+description: "Clean GitHub Actions cache for a PR branch"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Clean cache
+      run: |
+        echo "Fetching list of cache key"
+        cacheKeysForPR=$(gh cache list --ref "$BRANCH" --limit 100 --json id --jq '.[].id')
+
+        ## Setting this to not fail the workflow while deleting cache keys.
+        set +e
+        echo "Deleting caches..."
+        for cacheKey in $cacheKeysForPR
+        do
+            gh cache delete "$cacheKey"
+        done
+        echo "Done"
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.gh-token }}
+        GH_REPO: ${{ inputs.gh-repo }}
+        BRANCH: ${{ inputs.branch }}

.github/actions/docker-login/action.yml

@@ -0,0 +1,31 @@
+name: "Docker Login"
+description: "Login to Docker registries"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
+      with:
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-token }}
+    - name: Login to GHCR
+      uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.ghcr-username }}
+        password: ${{ inputs.ghcr-token }}
+
+inputs:
+  dockerhub-username:
+    description: "Docker Hub username"
+    required: true
+  dockerhub-token:
+    description: "Docker Hub token"
+    required: true
+  ghcr-username:
+    description: "GHCR username"
+    required: true
+  ghcr-token:
+    description: "GHCR token"
+    required: true

.github/actions/gosec/action.yml

@@ -0,0 +1,16 @@
+name: "Golang Security Checker"
+description: "Run Gosec security scanner and upload SARIF report"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout Source
+      uses: ./.github/actions/checkout
+    - name: Run Gosec Security Scanner
+      uses: securego/gosec@506407e7dfe6979d514d362f0b2d2ea77f49f5c8
+      with:
+        args: "-no-fail -fmt sarif -out results.sarif -tests ./..."
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
+      with:
+        sarif_file: results.sarif

.github/actions/govulncheck/action.yml

@@ -0,0 +1,22 @@
+name: "govulncheck"
+description: "Run govulncheck vulnerability scanner and upload SARIF report"
+
+inputs:
+  go-version:
+    description: "Go version to use"
+    required: false
+    default: "1.25.x"
+
+runs:
+  using: "composite"
+  steps:
+    - id: govulncheck
+      uses: nicholas-fedor/govulncheck-action@1e9ef2cbd93abefcc8605e05f8c212aa90181f6f
+      with:
+        output-format: sarif
+        output-file: results.sarif
+        go-version-input: ${{ inputs.go-version }}
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
+      with:
+        sarif_file: results.sarif

.github/workflows/build.yaml

@@ -105,7 +105,7 @@ jobs:
         with:
           name: ${{ inputs.build-type }}-binary-sboms
           path: dist/*.sbom
-          if-no-files-found: warn
+          if-no-files-found: ignore
 
       - name: Generate artifact attestation # Generate attestations for prod builds.
         if: ${{ !inputs.dry-run && inputs.build-type == 'prod' }}

.github/workflows/clean-cache.yaml

@@ -11,22 +11,11 @@ permissions:
 
 jobs:
   cleanup:
+    if: github.event.pull_request.merged
     runs-on: ubuntu-latest
     steps:
-      - name: Cleanup
-        run: |
-          echo "Fetching list of cache key"
-          cacheKeysForPR=$(gh cache list --ref "$BRANCH" --limit 100 --json id --jq '.[].id')
-
-          ## Setting this to not fail the workflow while deleting cache keys.
-          set +e
-          echo "Deleting caches..."
-          for cacheKey in $cacheKeysForPR
-          do
-              gh cache delete "$cacheKey"
-          done
-          echo "Done"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: ./.github/actions/clean-cache
+        with:
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+          gh-repo: ${{ github.repository }}
+          branch: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/create-manifests.yaml

@@ -29,20 +29,13 @@ jobs:
         uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
         with:
           fetch-depth: 0
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
+      - name: Login to registries
+        uses: ./.github/actions/docker-login
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          ghcr-username: ${{ github.actor }}
+          ghcr-token: ${{ github.token }}
       - name: Create Docker manifests for dev
         if: ${{ inputs.build-type == 'dev' }}
         run: |
@@ -58,7 +51,6 @@ jobs:
             ghcr.io/nicholas-fedor/shoutrrr:armhf-dev \
             ghcr.io/nicholas-fedor/shoutrrr:arm64v8-dev \
             ghcr.io/nicholas-fedor/shoutrrr:riscv64-dev
-
       - name: Create Docker manifests for prod
         if: ${{ inputs.build-type == 'prod' }}
         run: |

.github/workflows/lint-gh.yaml

@@ -19,13 +19,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
-
-      - name: Download actionlint
-        id: get_actionlint
-        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
-        shell: bash
-
-      - name: Check workflow files
-        run: ${{ steps.get_actionlint.outputs.executable }} -color
-        shell: bash
+        uses: ./.github/actions/checkout
+      - name: Run actionlint
+        uses: ./.github/actions/actionlint