feat(ci): add Go linting to reusable lint workflow

.github/workflows/lint-caller.yml

@@ -20,4 +20,6 @@ jobs:
     with:
       # renovate: datasource=github-releases depName=jdx/mise
       mise-version: "2026.4.22"
+      # renovate: datasource=github-releases depName=golangci/golangci-lint
+      golangci-lint-version: "v2.11.4"
       lint-config-dir: config-sync/files

.github/workflows/lint.yml

@@ -8,6 +8,15 @@ on:
         description: "mise version to install"
         required: true
         type: string
+      golangci-lint-version:
+        description: "golangci-lint version to install"
+        required: true
+        type: string
+      go-version-file:
+        description: "Path to the Go version file"
+        required: false
+        type: string
+        default: "go.mod"
       lint-config-dir:
         description: "Directory containing optional linter config files"
         required: false
@@ -38,6 +47,11 @@ on:
         required: false
         type: boolean
         default: true
+      lint-go:
+        description: "Run golangci-lint (Go linting)"
+        required: false
+        type: boolean
+        default: true
       lint-shellcheck:
         description: "Run shellcheck (shell linting)"
         required: false
@@ -218,6 +232,40 @@ jobs:
             mise exec -- gitleaks detect --redact
           fi
 
+  go:
+    name: go
+    if: ${{ inputs.lint-go }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Check for Go version file
+        id: go-version-file
+        env:
+          GO_VERSION_FILE: ${{ inputs.go-version-file }}
+        run: |-
+          if [ -f "${GO_VERSION_FILE}" ]; then
+            echo "exists=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "::notice::${GO_VERSION_FILE} not found; skipping Go linter"
+            echo "exists=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Setup Go
+        if: ${{ steps.go-version-file.outputs.exists == 'true' }}
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: ${{ inputs.go-version-file }}
+
+      - name: Run golangci-lint
+        if: ${{ steps.go-version-file.outputs.exists == 'true' }}
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          version: ${{ inputs.golangci-lint-version }}
+
   shellcheck:
     name: shellcheck
     if: ${{ inputs.lint-shellcheck }}

docs/architecture.md

@@ -43,24 +43,27 @@ comment and supply the required inputs.
 
 ### Lint (`lint.yml`)
 
-Runs up to ten linters in a single job. Toggle individual linters on/off with
+Runs up to eleven linters in a single job. Toggle individual linters on/off with
 boolean inputs; all default to `true`.
 
-| Input               | Description                                      |
-| ------------------- | ------------------------------------------------ |
-| `mise-version`      | **Required.** mise version to install.           |
-| `lint-config-dir`   | Optional linter config directory. Default: `""`. |
-| `lint-dprint`       | Markdown formatting (dprint). Default: `true`.   |
-| `lint-yamlfmt`      | YAML formatting (yamlfmt). Default: `true`.      |
-| `lint-yamllint`     | YAML linting (yamllint). Default: `true`.        |
-| `lint-actionlint`   | GitHub Actions linting. Default: `true`.         |
-| `lint-gitleaks`     | Secret scanning (gitleaks). Default: `true`.     |
-| `lint-shellcheck`   | Shell linting (shellcheck). Default: `true`.     |
-| `lint-shfmt`        | Shell formatting (shfmt). Default: `true`.       |
-| `lint-checkov`      | IaC security scan (checkov). Default: `true`.    |
-| `lint-trivy`        | Filesystem scan (trivy). Default: `true`.        |
-| `lint-zizmor`       | Actions security scan (zizmor). Default: `true`. |
-| `lint-config-drift` | Config-drift check. Default: `false`.            |
+| Input                   | Description                                      |
+| ----------------------- | ------------------------------------------------ |
+| `mise-version`          | **Required.** mise version to install.           |
+| `golangci-lint-version` | **Required.** golangci-lint version to install.  |
+| `go-version-file`       | Go version file for setup-go. Default: `go.mod`. |
+| `lint-config-dir`       | Optional linter config directory. Default: `""`. |
+| `lint-dprint`           | Markdown formatting (dprint). Default: `true`.   |
+| `lint-yamlfmt`          | YAML formatting (yamlfmt). Default: `true`.      |
+| `lint-yamllint`         | YAML linting (yamllint). Default: `true`.        |
+| `lint-actionlint`       | GitHub Actions linting. Default: `true`.         |
+| `lint-gitleaks`         | Secret scanning (gitleaks). Default: `true`.     |
+| `lint-go`               | Go linting (golangci-lint). Default: `true`.     |
+| `lint-shellcheck`       | Shell linting (shellcheck). Default: `true`.     |
+| `lint-shfmt`            | Shell formatting (shfmt). Default: `true`.       |
+| `lint-checkov`          | IaC security scan (checkov). Default: `true`.    |
+| `lint-trivy`            | Filesystem scan (trivy). Default: `true`.        |
+| `lint-zizmor`           | Actions security scan (zizmor). Default: `true`. |
+| `lint-config-drift`     | Config-drift check. Default: `false`.            |
 
 **Example caller:**
 
@@ -74,6 +77,8 @@ jobs:
     with:
       # renovate: datasource=github-releases depName=jdx/mise
       mise-version: "2026.4.5"
+      # renovate: datasource=github-releases depName=golangci/golangci-lint
+      golangci-lint-version: "v2.11.4"
       # lint-config-dir: config-sync/files
 ```
 

docs/design-decisions/0001-reusable-workflow-version-inputs.md

@@ -129,7 +129,7 @@ It does **not** apply to:
 
 ## Compliance
 
-- `lint.yml` — `mise-version` required ✅
+- `lint.yml` — `mise-version` and `golangci-lint-version` required ✅
 - `release.yml` — `mise-version` required ✅
 - `autofix.yml` — `mise-version` required ✅
 - `config-sync.yml`, `label-sync.yml`, `labeler.yml`, `todo-to-issue.yml` —

workflow-templates/lint.yml

@@ -19,14 +19,19 @@ jobs:
     with:
       # renovate: datasource=github-releases depName=jdx/mise
       mise-version: "2026.4.22"
+      # renovate: datasource=github-releases depName=golangci/golangci-lint
+      golangci-lint-version: "v2.11.4"
       # Optional: use configs from a non-root directory.
       # lint-config-dir: config-sync/files
+      # Optional: use a different Go version file.
+      # go-version-file: go.mod
       # Toggle linters on/off (all default to true):
       # lint-dprint: true
       # lint-yamlfmt: true
       # lint-yamllint: true
       # lint-actionlint: true
       # lint-gitleaks: true
+      # lint-go: true
       # lint-shellcheck: true
       # lint-shfmt: true
       # lint-checkov: true