chore(repo): harden CLA workflow — pin SHA, fix action repo, fail on missing token
Addresses pr-agent review on PR #93 (the two CLA-specific items). The other 9 suggestions targeted code carried in by the sync (middleware, gender-x) and are out of scope here. - uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name) + uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned) The action's real home is contributor-assistant/github-action; the 'cla-assistant-action' path we had resolves to 404 and may itself be why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a movable tag can't slip a malicious update under pull_request_target + a writable PAT. The repo is archived but v2.6.1 still functions. - Add a guard step that FAILS the job on the canonical repo (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a missing token silently skipped the job and it 'succeeded' — dangerous once this becomes a required status check (a lost/expired token would let CLA enforcement degrade invisibly). Forks still skip cleanly.
This commit is contained in:
@@ -36,12 +36,29 @@ jobs:
|
||||
env:
|
||||
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
|
||||
steps:
|
||||
# Guard: on the canonical repo, a missing CLA_BOT_TOKEN must FAIL the
|
||||
# job rather than silently skipping. Otherwise, once this job becomes a
|
||||
# required status check, a lost/expired token would let CLA checks pass
|
||||
# green and CLA enforcement would degrade invisibly. Forks (and renamed
|
||||
# copies) still skip cleanly below.
|
||||
- name: "Fail when CLA token is missing on canonical repo"
|
||||
if: ${{ github.repository == 'zonghaoyuan/infiplot' && env.HAS_CLA_BOT_TOKEN != 'true' }}
|
||||
run: |
|
||||
echo "CLA_BOT_TOKEN is required for CLA enforcement on ${{ github.repository }}." >&2
|
||||
echo "Configure it under Settings → Secrets and variables → Actions." >&2
|
||||
exit 1
|
||||
- name: "CLA Assistant"
|
||||
# SKIPPED when no secrets are configured. Keep the whole predicate
|
||||
# inside a single ${{ }} so && / || are evaluated as a boolean
|
||||
# expression, not string-concatenated.
|
||||
# SKIPPED when no secrets are configured (e.g. on forks). Keep the
|
||||
# whole predicate inside a single ${{ }} so && / || are evaluated as a
|
||||
# boolean expression, not string-concatenated.
|
||||
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
|
||||
uses: contributor-assistant/cla-assistant-action@v2.6.1
|
||||
# Pinned to a full commit SHA (not a movable tag) because this step
|
||||
# runs under pull_request_target with a writable PAT. Canonical repo:
|
||||
# contributor-assistant/github-action (the action's original home; note
|
||||
# `contributor-assistant/cla-assistant-action` does NOT exist and would
|
||||
# 404). The repo is archived, but v2.6.1 still functions; re-evaluate
|
||||
# only if it breaks against a future GitHub API change.
|
||||
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_BOT_TOKEN }}
|
||||
|
||||
Reference in New Issue
Block a user