diff --git a/.github/workflows/flake-go.yaml b/.github/workflows/flake-go.yaml
new file mode 100644
index 0000000000..1c7eb96dd0
--- /dev/null
+++ b/.github/workflows/flake-go.yaml
@@ -0,0 +1,82 @@
+name: flake-go
+
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      base_sha:
+        description: "Base commit to diff against. Defaults to merge-base against origin/main."
+        required: false
+        type: string
+      head_sha:
+        description: "Head commit to analyze. Defaults to the checked out HEAD."
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  flake_go:
+    name: Flake Check
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
+    timeout-minutes: 20
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.inputs.head_sha || github.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Install whichtests
+        shell: bash
+        run: ./.github/scripts/retry.sh -- go install github.com/coder/whichtests@ec33bab1ec04cd86beb7a61a069db4463dba63f5
+
+      - name: Select changed tests
+        id: selector
+        shell: bash
+        run: |
+          set -euo pipefail
+          whichtests \
+            --repo-root . \
+            --github-actions \
+            --coalesce \
+            --out-matrix "$RUNNER_TEMP/flake-matrix.json"
+
+      - name: Setup Terraform
+        if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }}
+        uses: ./.github/actions/setup-tf
+
+      - name: Run targeted Go flake checks
+        id: flake_check
+        if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }}
+        uses: ./.github/actions/test-go-pg
+        with:
+          postgres-version: "13"
+          test-parallelism-packages: "4"
+          test-parallelism-tests: "16"
+          test-count: "25"
+          test-packages: ${{ fromJSON(steps.selector.outputs.matrix).include[0].package }}
+          run-regex: ${{ fromJSON(steps.selector.outputs.matrix).include[0].run_regex }}
+          test-shuffle: "on"
+          gotestsum-json-file: default
+
+      - name: Publish Go test failure report
+        if: failure() && steps.flake_check.outcome == 'failure' && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork)
+        uses: ./.github/actions/go-test-failure-report
+        with:
+          artifact-name: go-test-failures-${{ github.job }}-${{ github.sha }}
diff --git a/Makefile b/Makefile
index 3d92ff40df..b58f80eb68 100644
--- a/Makefile
+++ b/Makefile
@@ -1446,8 +1446,16 @@ ifdef TEST_SHORT
 GOTEST_FLAGS += -short
 endif
 
+# RUN is single-quoted for the shell so regex metacharacters survive make.
+# Embedded single quotes are not supported; whichtests only emits RUN values
+# built from ASCII test names so generated regexes stay within this contract.
 ifdef RUN
-GOTEST_FLAGS += -run $(RUN)
+GOTEST_FLAGS += -run '$(RUN)'
+endif
+
+# TEST_SHUFFLE values must be off, on, or an integer seed.
+ifdef TEST_SHUFFLE
+GOTEST_FLAGS += -shuffle=$(TEST_SHUFFLE)
 endif
 
 ifdef TEST_CPUPROFILE