From 366b84e2fb88afb7c2acaf20875eeb01ea185920 Mon Sep 17 00:00:00 2001 From: yuanzonghao Date: Thu, 18 Jun 2026 21:59:19 +0800 Subject: [PATCH] =?UTF-8?q?chore(repo):=20harden=20CLA=20workflow=20?= =?UTF-8?q?=E2=80=94=20pin=20SHA,=20fix=20action=20repo,=20fail=20on=20mis?= =?UTF-8?q?sing=20token?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses pr-agent review on PR #93 (the two CLA-specific items). The other 9 suggestions targeted code carried in by the sync (middleware, gender-x) and are out of scope here. - uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name) + uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned) The action's real home is contributor-assistant/github-action; the 'cla-assistant-action' path we had resolves to 404 and may itself be why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a movable tag can't slip a malicious update under pull_request_target + a writable PAT. The repo is archived but v2.6.1 still functions. - Add a guard step that FAILS the job on the canonical repo (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a missing token silently skipped the job and it 'succeeded' — dangerous once this becomes a required status check (a lost/expired token would let CLA enforcement degrade invisibly). Forks still skip cleanly. --- .github/workflows/cla.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index c212ae8..0d9d319 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -36,12 +36,29 @@ jobs: env: HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }} steps: + # Guard: on the canonical repo, a missing CLA_BOT_TOKEN must FAIL the + # job rather than silently skipping. Otherwise, once this job becomes a + # required status check, a lost/expired token would let CLA checks pass + # green and CLA enforcement would degrade invisibly. Forks (and renamed + # copies) still skip cleanly below. + - name: "Fail when CLA token is missing on canonical repo" + if: ${{ github.repository == 'zonghaoyuan/infiplot' && env.HAS_CLA_BOT_TOKEN != 'true' }} + run: | + echo "CLA_BOT_TOKEN is required for CLA enforcement on ${{ github.repository }}." >&2 + echo "Configure it under Settings → Secrets and variables → Actions." >&2 + exit 1 - name: "CLA Assistant" - # SKIPPED when no secrets are configured. Keep the whole predicate - # inside a single ${{ }} so && / || are evaluated as a boolean - # expression, not string-concatenated. + # SKIPPED when no secrets are configured (e.g. on forks). Keep the + # whole predicate inside a single ${{ }} so && / || are evaluated as a + # boolean expression, not string-concatenated. if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }} - uses: contributor-assistant/cla-assistant-action@v2.6.1 + # Pinned to a full commit SHA (not a movable tag) because this step + # runs under pull_request_target with a writable PAT. Canonical repo: + # contributor-assistant/github-action (the action's original home; note + # `contributor-assistant/cla-assistant-action` does NOT exist and would + # 404). The repo is archived, but v2.6.1 still functions; re-evaluate + # only if it breaks against a future GitHub API change. + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_BOT_TOKEN }}