feat: add example consumer repositories and workflows for CPython Patch PR Action

Author: CasperKristiansson

README.md

@@ -135,6 +135,20 @@ Set `automerge: true` and wire a follow-up job that applies your preferred autom
 
 ---
 
+## Example consumer repositories
+
+Clone one of the templates in [`examples/`](examples) to see the action running in
+the context of a real repository:
+
+- [`examples/minimal`](examples/minimal) – single-job workflow scheduled weekly.
+- [`examples/guarded`](examples/guarded) – dry-run preview with release-note
+  gating and concurrency controls.
+
+Each template ships with a README snippet and status badge you can adapt when
+bootstrapping your own public showcase repository.
+
+---
+
 ## Permissions
 
 The workflow requires:

docs/tasks.md

@@ -219,7 +219,7 @@ Use Context7 MCP for up to date documentation.
         Enable `codeql-analysis`. Attach provenance to releases.
         Verify: CodeQL green. Provenance present.
 
-35. [ ] **Example consumer repos**
+35. [x] **Example consumer repos**
         Public minimal and guarded samples using the Action.
         Verify: Badges and scheduled runs visible.
 

examples/README.md

@@ -0,0 +1,29 @@
+# Example Consumer Repositories
+
+This directory hosts ready-to-fork templates that demonstrate how to adopt the
+CPython Patch PR Action in downstream projects. Each template includes:
+
+- A minimal repository `README.md` with status badges you can reuse.
+- A scheduled workflow that exercises the action.
+- Optional guardrails tailored to the scenario.
+
+To use one of the samples:
+
+1. Create a new public repository (recommended names listed below).
+2. Copy the corresponding template files, preserving the directory structure.
+3. Update the status badge URLs in the README to match your repository.
+4. Push to `main`. The schedule and any manually dispatched runs will validate the setup.
+
+Available templates:
+
+- `minimal/` – single-job workflow that bumps a single CPython track on a weekly cadence.
+- `guarded/` – two-stage workflow that performs a dry-run preview before applying updates and requires a protection keyword in release notes before merging.
+
+Badges use the canonical GitHub Actions syntax:
+
+```md
+![Workflow status](https://github.com/<owner>/<repo>/actions/workflows/python-version-patch.yml/badge.svg)
+```
+
+Replace `<owner>` and `<repo>` with your namespace and repository name after
+creating the consumer repo.

examples/guarded/.github/workflows/python-version-patch.yml

@@ -0,0 +1,101 @@
+name: CPython Patch PR (Guarded)
+
+on:
+  schedule:
+    - cron: '15 7 * * 1-5' # Weekdays at 07:15 UTC
+  workflow_dispatch:
+
+concurrency:
+  group: python-version-patch
+  cancel-in-progress: false
+
+env:
+  TRACK: '3.13'
+  SECURITY_KEYWORDS: 'security,CVE,critical'
+
+jobs:
+  preview:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      new_version: ${{ steps.preview.outputs.new_version }}
+      files_changed: ${{ steps.preview.outputs.files_changed }}
+      skipped_reason: ${{ steps.preview.outputs.skipped_reason }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Preview CPython patch diff
+        id: preview
+        uses: casperkristiansson/python-version-patch-pr@v0
+        with:
+          track: ${{ env.TRACK }}
+          dry_run: true
+
+      - name: Summarize planned changes
+        if: steps.preview.outputs.skipped_reason == ''
+        run: |
+          echo "Found proposed bump to version: ${{ steps.preview.outputs.new_version }}"
+          echo "Files changed JSON:"
+          echo '${{ steps.preview.outputs.files_changed }}'
+
+  apply:
+    needs: preview
+    if: needs.preview.outputs.skipped_reason == ''
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    environment:
+      name: production
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Enforce release note guard
+        env:
+          NEW_VERSION: ${{ needs.preview.outputs.new_version }}
+          SECURITY_KEYWORDS: ${{ env.SECURITY_KEYWORDS }}
+        run: |
+          if [[ -z "$NEW_VERSION" ]]; then
+            echo "No new version detected; skipping guard."
+            exit 0
+          fi
+
+          python - <<'PY'
+import os
+import sys
+import urllib.request
+
+version = os.environ['NEW_VERSION']
+keywords = [kw.strip().lower() for kw in os.environ.get('SECURITY_KEYWORDS', '').split(',') if kw.strip()]
+if not keywords:
+    sys.exit(0)
+
+slug = 'python-' + version.replace('.', '')
+url = f'https://www.python.org/downloads/release/{slug}/'
+print(f'Fetching release notes from {url}')
+try:
+    with urllib.request.urlopen(url, timeout=30) as response:
+        body = response.read().decode('utf-8', errors='replace').lower()
+except Exception as exc:  # noqa: BLE001
+    print(f'Failed to fetch release notes: {exc}')
+    sys.exit(1)
+
+if any(keyword in body for keyword in keywords):
+    print('Security keyword detected in release notes.')
+else:
+    print('No security keywords found; aborting update.')
+    sys.exit(1)
+PY
+
+      - name: Apply CPython patch update
+        uses: casperkristiansson/python-version-patch-pr@v0
+        with:
+          track: ${{ env.TRACK }}
+          automerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

examples/guarded/README.md

@@ -0,0 +1,27 @@
+# Guarded CPython Patch PR Example
+
+This template demonstrates a more conservative deployment of the CPython Patch
+PR Action. It performs a dry-run preview, checks release notes for security
+keywords, and only applies updates when the guard passes.
+
+![Workflow status](https://github.com/<owner>/python-version-patch-pr-example-guarded/actions/workflows/python-version-patch.yml/badge.svg)
+
+## Highlights
+
+- Two-job workflow with a dry-run preview and gated apply step.
+- Concurrency group to avoid overlapping runs.
+- Example of inspecting `skipped_reason` and release note metadata before
+  applying changes.
+- Ready-made status badge and README snippet for downstream repositories.
+
+## Setup instructions
+
+1. Create a repository named `python-version-patch-pr-example-guarded` (or use
+   a similar descriptive name).
+2. Copy this directory into the new repository root.
+3. Replace `<owner>` in the badge URL with your user or organization handle.
+4. Update the `SECURITY_KEYWORDS` environment variable if you want to tailor
+   the release note gate.
+
+After pushing to `main`, the scheduled job runs every weekday at 07:15 UTC. You
+can also trigger the workflow manually with `workflow_dispatch` for testing.

examples/minimal/.github/workflows/python-version-patch.yml

@@ -0,0 +1,23 @@
+name: CPython Patch PR
+
+on:
+  schedule:
+    - cron: '0 9 * * 1' # Every Monday at 09:00 UTC
+  workflow_dispatch:
+
+jobs:
+  bump-python:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Update CPython patch versions
+        uses: casperkristiansson/python-version-patch-pr@v0
+        with:
+          track: '3.12'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

examples/minimal/README.md

@@ -0,0 +1,32 @@
+# Minimal CPython Patch PR Example
+
+This template shows the smallest practical setup for the CPython Patch PR
+Action. It monitors a single CPython minor stream and opens a pull request
+whenever a new patch becomes available.
+
+![Workflow status](https://github.com/<owner>/python-version-patch-pr-example-minimal/actions/workflows/python-version-patch.yml/badge.svg)
+
+## Repository structure
+
+```
+.
+├── .github
+│   └── workflows
+│       └── python-version-patch.yml
+└── README.md (this file)
+```
+
+## Recommended setup steps
+
+1. Create a repository named `python-version-patch-pr-example-minimal` (or
+   similar).
+2. Copy this directory into the new repository root.
+3. Replace `<owner>` in the badge URL above with your GitHub username or
+   organization.
+4. Optionally adjust the cron schedule or tracked CPython version in the
+   workflow.
+
+The included workflow runs weekly and can also be triggered manually via
+`workflow_dispatch`. The action writes updated pins, commits them to the
+`chore/bump-python-<track>` branch, and opens or updates a corresponding pull
+request.