From e4b26fb8fb26832553fb0ed0a6fb823374d0a21f Mon Sep 17 00:00:00 2001
From: Dustin Kut Moy Cheung <dcheung@redhat.com>
Date: Wed, 1 Apr 2026 11:06:48 -0400
Subject: [PATCH 1/4] Update README.md with description

---
 README.md | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 70 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2c3833c..9b75514 100644
--- a/README.md
+++ b/README.md
@@ -2,9 +2,77 @@
 
 This repository is used to store GitHub Action workflows (and other stuff) that we'll re-use in other PNC repositories
 
-### Dependabot
+These workflows are designed for Maven-based Java projects and can be included
+in other repositories using the `workflow_call` mechanism.
+
+# Available Workflows
+
+## Maven CI (`maven-ci.yml`)
+Standard Continuous Integration workflow for Maven projects that we use to test
+PRs. For some of the workflows, we can also further customize it by specifying
+the Java version etc.
+
+- **Tasks**: Checkout code, set up Java (default: 21), run build command (`mvn
+  clean install`), and check for code formatting errors.
+
+
+## Maven Release (`maven-release.yml`)
+Workflow for performing a release to Maven Central (Sonatype).
+
+- **Tasks**: Configures Git, sets up Java and GPG, performs `release:prepare`
+  and `release:perform`, and pushes changes/tags back to the repository.
+
+
+## Maven Snapshot (`maven-snapshot.yml`)
+Workflow for deploying snapshot versions to Maven Central.
+
+- **Tasks**: Deploy our SNAPSHOT version of our project to Maven Central
+  Optionally builds and pushes a Quarkus Jib image to Quay.io.
+
+
+## Maven Set Version (`maven-set-version.yml`)
+Workflow to update the version in a Maven `pom.xml`.
+- **Tasks**: Updates the version using `versions:set` and commits/pushes the change.
+
+
+## Maven Jib (`maven-jib.yml`)
+*Work in Progress* workflow to build Jib images and upload to a container
+registry.
+
+
+## Validate GitHub Action (`validate-gh-action.yml`)
+Workflow used to lint and validate GitHub Actions using `actionlint` and
+`zizmor`. This is used in this repository's `validate.yml` to run for PRs.
+
+## Usage Example
+
+To use one of these workflows in your repository, add a new workflow file
+(e.g., `.github/workflows/ci.yml`) and reference the shared workflow:
+
+```yaml
+name: Run PR test
+
+on:
+  pull_request:
+    branches: [ * ]
+
+jobs:
+  build:
+    uses: project-ncl/shared-github-actions/.github/workflows/maven-ci.yml@<sha> # <tag>
+    with:
+      # if you want to customize the java_version
+      java_version: '17'
+```
+
+A Github repository example using those workflows can be found
+(here)[https://github.com/project-ncl/environment-driver/tree/main/.github/workflows]
+>>>>>>> 47ec4fb (Update README.md with description)
+
+# Misc
+
+## Dependabot
 
 A sample dependabot file in `.github/dependabot.yml` is available that is both used in this repository and may be copied to other ProjectNCL repositories.
 
-### GitHub Releases
+## GitHub Releases
 A sample `.github/release.yml` configuration file from the [GitHub documentation](https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuring-automatically-generated-release-notes) has been added that may be copied to other ProjectNCL repositories.

From 06d34554f1c70149baaf1b44bb928425955aa33c Mon Sep 17 00:00:00 2001
From: Dustin Kut Moy Cheung <dcheung@redhat.com>
Date: Wed, 8 Apr 2026 17:44:00 -0400
Subject: [PATCH 2/4] Add a note on what is the next version after a release

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9b75514..ebb4607 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,9 @@ the Java version etc.
 Workflow for performing a release to Maven Central (Sonatype).
 
 - **Tasks**: Configures Git, sets up Java and GPG, performs `release:prepare`
-  and `release:perform`, and pushes changes/tags back to the repository.
+  and `release:perform`, and pushes changes/tags back to the repository. The
+  next version is set by bumping the patch version by 1 and putting the
+  `-SNAPSHOT` suffix.
 
 
 ## Maven Snapshot (`maven-snapshot.yml`)

From 568307066caf98b905653176f7318573f9945b8f Mon Sep 17 00:00:00 2001
From: Dustin Kut Moy Cheung <dcheung@redhat.com>
Date: Wed, 8 Apr 2026 17:50:00 -0400
Subject: [PATCH 3/4] Add a section for validation and permissions

---
 README.md | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ebb4607..22978fb 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,6 @@ jobs:
 
 A Github repository example using those workflows can be found
 (here)[https://github.com/project-ncl/environment-driver/tree/main/.github/workflows]
->>>>>>> 47ec4fb (Update README.md with description)
 
 # Misc
 
@@ -78,3 +77,28 @@ A sample dependabot file in `.github/dependabot.yml` is available that is both u
 
 ## GitHub Releases
 A sample `.github/release.yml` configuration file from the [GitHub documentation](https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuring-automatically-generated-release-notes) has been added that may be copied to other ProjectNCL repositories.
+
+## Github Action validations
+We use (zizmor)[https://docs.zizmor.sh/] and
+[actionlint](https://github.com/rhysd/actionlint) to validate that our Github
+Actions are secure.
+
+One of the requirements is to explicitly define a permissions key to specify
+the level of access that the injected `GITHUB_TOKEN` should have.
+
+For workflows that do not require to `git push` any changes, we set an empty
+permissions field:
+```
+permissions: {}
+```
+
+and for those that do:
+```
+permissions:
+  contents: write
+```
+For example, `maven-release.yml` requires to `git push` changes back to the
+repository and needs those permissions.
+
+Note that the final workflow should also specify the same permissions as the
+shared workflow being used.

From 50c59dae72f0e2df85f176eb852ba91cbe7551e1 Mon Sep 17 00:00:00 2001
From: Dustin Kut <630746+thescouser89@users.noreply.github.com>
Date: Thu, 9 Apr 2026 10:15:59 -0400
Subject: [PATCH 4/4] Update README.md

Co-authored-by: Nick Cross <github@goots.org>
---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index 22978fb..4b1f99e 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,27 @@ Workflow for deploying snapshot versions to Maven Central.
 
 ## Maven Set Version (`maven-set-version.yml`)
 Workflow to update the version in a Maven `pom.xml`.
+
 - **Tasks**: Updates the version using `versions:set` and commits/pushes the change.
+ 
+This workflow should be manually called and an example of that may be seen [here](https://github.com/project-ncl/environment-driver/blob/main/.github/workflows/maven-set-version.yml). Its recommended that `on.workflow_dispatch` is used so the user can enter the appropriate values e.g.
+```
+on:
+  workflow_dispatch: # Manual trigger
+    inputs:
+      new_version:
+        description: '[Required] Version to set'
+        required: true
+        type: string
+...
+jobs:
+    call-maven-set-version-job:
+      permissions:
+        contents: write # needed to push commit and tag back to the repository
+      uses: project-ncl/shared-github-actions/.github/workflows/maven-set-version.yml@504efc82df7d4f73e3bd2b67bec31bcd532ed9e4 # v0.0.14
+      with:
+        new_version: ${{ inputs.new_version }}
+```
 
 
 ## Maven Jib (`maven-jib.yml`)