Move to top-level folder, adapt README

snazy · snazy · commit e9e169371e43 · 2026-02-27T09:58:00.000+01:00
diff --git a/.github/workflows/check-project-actions.yml b/.github/workflows/check-project-actions.yml
diff --git a/README.md b/README.md
@@ -16,29 +16,10 @@ This repository hosts GitHub Actions developed by the ASF community and approved
 
 You can let your CI workflows check if the Actions used in your project are approved for use in the ASF.
 
-Either create a new workflow in your project repository, e.g. `.github/workflows/check-project-actions.yml`,
-like the following example, or call the workflow from a job from your existing CI workflow in your repository.
+An example workflow that can be used as a template for your project's CI can be found
+[here `check-actions-usage/sample-ci-workflow.yml`](check-actions-usage/sample-ci-workflow.yml).
 
-```yaml
- name: Check action references
- on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths:
-      - ".github/**"
-  pull_request:
-    paths:
-      - ".github/**"
- jobs:
-   # This is the job that verifies your project's usage of approved GitHub actions
-   check:
-     name: Check actions usage
-     uses: apache/infrastructure-actions/.github/workflows/check-project-actions.yml@main
-```
-
-When calling the `check-project-actions` from a `push` or `pull_request` event, the workflow should work
+When calling the `check-project-actions` workflow from a `push` or `pull_request` event, it should work
 automatically against the "right" reference.
 
 You can also pass the `repository`, `ref`, `fetch-depth` and `submodules` parameters, as documented for
diff --git a/check-actions-usage/check-project-actions.yml b/check-actions-usage/check-project-actions.yml
@@ -0,0 +1,93 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Workflow to be called from ASF project repository workflows to check
+# whether the GitHub actions references in GitHub workflows (`.github/workflows`) and
+# composite actions (`.github/actions`) are approved.
+#
+# The README.md of ASF Infrastructure Actions repository https://github.com/apache/infrastructure-actions
+# contains usage instructions.
+#
+# See: ASF Infrastructure GitHub Actions Policy: https://infra.apache.org/github-actions-policy.html
+
+
+name: check-project-actions.yml
+on:
+  workflow_call:
+    inputs:
+      repository:
+        required: false
+        description: |
+          Optional, the `repository` parameter for `actions/checkout`.
+          If not specified, the default is to use the repository of the calling workflow.
+          See https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
+        type: string
+      ref:
+        required: false
+        description: |
+          Optional, the `ref` parameter for `actions/checkout`
+          If not specified, the default is to use the repository of the calling workflow.
+          See https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
+        type: string
+      fetch-depth:
+        required: false
+        description: |
+          Optional, the `fetch-depth` parameter for `actions/checkout`.
+          See https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
+        type: number
+        default: 1
+      submodules:
+        required: false
+        description: |
+          Optional, the `submodules` parameter for `actions/checkout`.
+          See https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
+        type: boolean
+        default: false
+
+jobs:
+  check-project-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout apache/infrastructure-actions"
+        uses: actions/checkout@v2
+        with:
+          repository: 'apache/infrastructure-actions'
+          ref: 'main'
+          path: infrastructure-actions
+
+      - name: "Checkout repository to be checked"
+        uses: actions/checkout@v2
+        with:
+          repository: '${{ inputs.repository }}'
+          ref: ${{ inputs.ref }}
+          fetch-depth: ${{ inputs.fetch-depth }}
+          submodules: ${{ inputs.submodules }}
+          path: repository
+
+      - run: pip install ruyaml
+
+      - name: Check allowed actions usage
+        working-directory: infrastructure-actions
+        shell: python
+        run: |
+          import sys
+          sys.path.append("./gateway/")
+
+          import check_repository_actions as c
+          c.check_project_actions('../repository', '../infrastructure-actions/approved_patterns.yml')
diff --git a/check-actions-usage/sample-ci-workflow.yml b/check-actions-usage/sample-ci-workflow.yml
@@ -0,0 +1,49 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: Example CI workflow for projects
+on:
+  # If you want to run this workflow manually, keep `workflow_dispatch`. Otherwise, remove this trigger.
+  workflow_dispatch:
+  # Trigger the workflow on push or pull requests when the contents of your `.github` directory change.
+  # Note: the cheeck-project-actions.yml workflow inspects the `.github/workflows` and `.github/actions` directories.
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/**"
+  pull_request:
+    paths:
+      - ".github/**"
+
+permissions:
+  contents: read
+
+jobs:
+  # This is the job that verifies your project's usage of approved GitHub actions
+  check:
+    name: Check actions usage
+    uses: apache/infrastructure-actions/check-project-actions/check-project-actions.yml@main
+    # Optional: specify a different repository and/or ref to check. These options are passed to
+    # GitHub actions/checkout, see https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
+    #with:
+      #repository: apache/my-project
+      #ref: my-branch
+      #fetch-depth:
+      #submodules:
