allowlist-check: verbose output and gh command to create allowlist PR

[potiuk]

Summary

Two improvements to the allowlist-check action:

• Verbose output: Each action ref is now printed as it is checked, showing its
  status and the reason it was allowed or rejected. This makes it easy to see exactly
  what the check is doing without digging through workflow files.

  Checking 3 unique action ref(s) against the ASF allowlist:
  
    ✅ actions/checkout@v4 — trusted owner (actions)  (.github/workflows/ci.yml)
    ✅ codecov/codecov-action@v4 — matches allowlist  (.github/workflows/ci.yml)
    ❌ evil-org/evil-action@abc123 — NOT ON ALLOWLIST  (.github/workflows/ci.yml)
  

• Ready-to-run gh command: On failure, the check now prints a copy-pasteable
  shell script that forks the repo, appends wildcard entries to actions.yml, and
  opens a PR — no manual file editing required.

  ::notice::You can create a PR to add the missing entries by running:
  ( set -e; _d=$(mktemp -d); trap 'rm -rf "$_d"' EXIT; cd "$_d"
    gh repo clone apache/infrastructure-actions . -- --depth=1
    gh repo fork --remote
    git checkout -b allowlist-add-evil-org-evil-action
    cat >> actions.yml << 'ALLOWLIST_YAML'
  evil-org/evil-action:
    '*':
      keep: true
  ALLOWLIST_YAML
    git add actions.yml
    git commit -m 'Add evil-org/evil-action to allowlist'
    git push -u origin allowlist-add-evil-org-evil-action
    gh pr create --repo apache/infrastructure-actions \
      --title 'Add evil-org/evil-action to the GitHub Actions allowlist' \
      --body '...' )
  

Test plan

• TestBuildGhPrCommand (3 tests): single action, multiple actions with dedup, same action with different SHAs.
• TestMainGhPrCommand (2 tests): verifies main() includes the PR command and verbose check output.
• All 32 tests pass (27 existing + 5 new).

[potiuk]

cc: @kevinjqliu -enhanced your action with exact instructions to the maintainers how to create a PR to inftastructure-actions

[potiuk]

Of course - literally two prompts to create it in less than 5 minues.

[potiuk]

• in actions/allowlist-check when there is a missing allowlist entry error, print exact gh command that will open necesary PR in the infrastructure-action repo
• Actually the script should automatically generate a command that creates PR that adds this action (it only shown how to create issue initially about adding this action - instead I asked Claude to show script to create PR)

[potiuk]

And third prompt:

• Also add verbose output when checking actions - showing the actions being checked

Added nice colorful verbose output while checking the actions.

[dave2wave]

Please provide clear for a human instructions on how to run a test.

[potiuk]

Please provide clear for a human instructions on how to run a test.

It's already there added by @kevinjqliu (see https://github.com/apache/infrastructure-actions/blob/main/allowlist-check/README.md) - this PR merely improves the output of it by adding colors and improves the output to suggest a ready-to-copy-paste gh-command.

[dave2wave]

I ran a test with the SHA of the PR.

[raboof]

this seems to promote discouraged behaviour

[raboof]

Of course - literally two prompts to create it in less than 5 minues.

"It took me really little work to create this work for you" really isn't a selling point IMHO

[kevinjqliu]

thanks! this is helpful.

thoughts on adding a helper script in this repo?

[potiuk]

Of course - literally two prompts to create it in less than 5 minues.

"It took me really little work to create this work for you" really isn't a selling point IMHO

True

[potiuk]

All comments addressed @dave2wave @raboof @kevinjqliu

[potiuk]

Let me merge it here - I will check it on Airflow without releasing it, I think I addressed all comments, we can always fix it later,