chore(repo): harden CLA workflow — pin SHA, fix action repo, fail on missing token

Addresses pr-agent review on PR #93 (the two CLA-specific items). The
other 9 suggestions targeted code carried in by the sync (middleware,
gender-x) and are out of scope here.

- uses: contributor-assistant/cla-assistant-action@v2.6.1  (404 — wrong name)
+ uses: contributor-assistant/github-action@ca4a40a7...       (canonical, pinned)

  The action's real home is contributor-assistant/github-action; the
  'cla-assistant-action' path we had resolves to 404 and may itself be
  why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a
  movable tag can't slip a malicious update under pull_request_target +
  a writable PAT. The repo is archived but v2.6.1 still functions.

- Add a guard step that FAILS the job on the canonical repo
  (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a
  missing token silently skipped the job and it 'succeeded' — dangerous
  once this becomes a required status check (a lost/expired token would
  let CLA enforcement degrade invisibly). Forks still skip cleanly.
This commit is contained in:
yuanzonghao
2026-06-18 21:59:19 +08:00
parent 03dccd7c74
commit 366b84e2fb
+21 -4
View File
@@ -36,12 +36,29 @@ jobs:
env:
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
steps:
# Guard: on the canonical repo, a missing CLA_BOT_TOKEN must FAIL the
# job rather than silently skipping. Otherwise, once this job becomes a
# required status check, a lost/expired token would let CLA checks pass
# green and CLA enforcement would degrade invisibly. Forks (and renamed
# copies) still skip cleanly below.
- name: "Fail when CLA token is missing on canonical repo"
if: ${{ github.repository == 'zonghaoyuan/infiplot' && env.HAS_CLA_BOT_TOKEN != 'true' }}
run: |
echo "CLA_BOT_TOKEN is required for CLA enforcement on ${{ github.repository }}." >&2
echo "Configure it under Settings → Secrets and variables → Actions." >&2
exit 1
- name: "CLA Assistant"
# SKIPPED when no secrets are configured. Keep the whole predicate
# inside a single ${{ }} so && / || are evaluated as a boolean
# expression, not string-concatenated.
# SKIPPED when no secrets are configured (e.g. on forks). Keep the
# whole predicate inside a single ${{ }} so && / || are evaluated as a
# boolean expression, not string-concatenated.
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
uses: contributor-assistant/cla-assistant-action@v2.6.1
# Pinned to a full commit SHA (not a movable tag) because this step
# runs under pull_request_target with a writable PAT. Canonical repo:
# contributor-assistant/github-action (the action's original home; note
# `contributor-assistant/cla-assistant-action` does NOT exist and would
# 404). The repo is archived, but v2.6.1 still functions; re-evaluate
# only if it breaks against a future GitHub API change.
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_BOT_TOKEN }}