add CodeQL workflow, timeouts to jobs, and run go generate and vuln c…

…heck workflows weekly

.github/workflows/check-generated.yml

@@ -0,0 +1,45 @@
+name: Check generated files
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - "*"
+  schedule:
+    - cron: "00 13 * * 1"
+
+  workflow_dispatch: {}
+
+env:
+  GO_VERSION: "1.19"
+
+jobs:
+  check-go-generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}.x
+          check-latest: true
+          cache: true
+
+      # Install any tools 'go generate' uses here
+
+      - name: Ensure 'go generate' is clean
+        run: |
+          # shellcheck disable=SC2046
+          go generate $(go list ./...)
+          echo
+          echo
+
+          if ! git diff --name-only --exit-code; then
+            echo "The files above need updating. Please run 'go generate'."
+            exit 1
+          fi

.github/workflows/codeql.yml

@@ -0,0 +1,55 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - "*"
+  schedule:
+    - cron: "00 13 * * 1"
+
+  workflow_dispatch: {}
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: 
+          - go
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/lint-actions.yml

@@ -13,6 +13,7 @@ env:
 jobs:
   lint-workflows:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

.github/workflows/lint-docker.yml

@@ -10,6 +10,7 @@ on:
 jobs:
   lint-dockerfile:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

.github/workflows/lint-go.yml

@@ -16,6 +16,7 @@ env:
 jobs:
   check-mod-tidy:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -37,36 +38,9 @@ jobs:
           fi
           exit 0
 
-  check-go-generate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}.x
-          check-latest: true
-          cache: true
-
-      - run: |
-          go install github.com/kyleconroy/sqlc/cmd/sqlc@latest
-
-      - name: Ensure 'go generate' is clean
-        run: |
-          # shellcheck disable=SC2046
-          go generate $(go list ./...)
-          echo
-          echo
-
-          if ! git diff --name-only --exit-code; then
-            echo "The files above need updating. Please run 'go generate'."
-            exit 1
-          fi
-
   staticcheck:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -85,6 +59,7 @@ jobs:
 
   golangci-lint:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       pull-requests: read
     steps:

.github/workflows/release.yml

@@ -14,6 +14,7 @@ jobs:
   release-binary:
     runs-on: ubuntu-latest
     if: github.ref_type == 'tag'
+    timeout-minutes: 15
     permissions:
       id-token: write
       contents: write
@@ -47,6 +48,7 @@ jobs:
 
   release-image:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       id-token: write
       packages: write

.github/workflows/test.yml

@@ -18,6 +18,7 @@ jobs:
     # required for nftables to work correctly
     # TODO: change to "ubuntu-latest" when 22.04 is the latest
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -37,6 +38,7 @@ jobs:
 
   binary-test:
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -59,6 +61,7 @@ jobs:
 
   image-test:
     runs-on: ubuntu-22.04
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

.github/workflows/vuln.yml

@@ -7,6 +7,8 @@ on:
   pull_request:
     branches:
       - "*"
+  schedule:
+    - cron: "00 13 * * 1"
 
   workflow_dispatch: {}
 
@@ -16,6 +18,7 @@ env:
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v3