chore(repo): address pr-agent review on CLA workflow

Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).

- cla.yml: move 'token configured?' check into job env and put the whole
  step-level if inside a single ${{ }} so && / || are evaluated as a
  boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
  issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
  bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
  (used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
  before opening the PR — matches the actual CONTRIBUTING flow
This commit is contained in:
yuanzonghao
2026-06-17 19:49:48 +08:00
parent 2b0b9c6f8d
commit 6ee74a0680
4 changed files with 25 additions and 14 deletions
+22 -11
View File
@@ -16,20 +16,31 @@ on:
pull_request_target:
types: [opened, closed, synchronize]
# Minimal explicit permissions: this workflow runs on pull_request_target and
# issues a token, so do not rely on repo defaults. `statuses: write` is what the
# branch-protection required check (cla/cla-assistant.yml) reports against.
permissions:
contents: read
pull-requests: read
issues: write
statuses: write
jobs:
CLAAssistant:
runs-on: ubuntu-latest
# Resolve "is the token configured?" once at job level. Step-level `if`
# cannot safely reference `secrets.*` (it may be empty or elided), so we
# materialize it into an env boolean string and test that instead. This is
# also what lets forks/renames of this repo skip the job cleanly when no
# CLA_BOT_TOKEN is set, instead of failing CI.
env:
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
steps:
- name: "CLA Assistant"
# SKIPPED when no secrets are configured, so forks/renames of this
# repo don't fail CI out of the box.
if: >
${{ secrets.CLA_BOT_TOKEN != '' }} &&
(
(github.event.comment.body == 'recheckcla' ||
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
github.event_name == 'pull_request_target'
)
# SKIPPED when no secrets are configured. Keep the whole predicate
# inside a single ${{ }} so && / || are evaluated as a boolean
# expression, not string-concatenated.
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
uses: contributor-assistant/cla-assistant-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -42,10 +53,10 @@ jobs:
# Link to the authoritative English CLA. Chinese reference:
# https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md
path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md"
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,*bot,web-flow"
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow"
block-sharing-crucial-repositories: true
create-file-commit-message: "docs(cla): record signature for @"
create-file-commit-message: "docs(cla): create CLA signature store"
custom-notsigned-prcomment: >
感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读
[CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md)
+1 -1
View File
@@ -228,4 +228,4 @@ See the [Bring-your-own voice Key guide](docs/xiaomi-tts-key.md) for how to obta
This project is open-sourced under [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html).
Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md).
Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md). Sign it directly in the PR via a comment after opening it; no separate step needed beforehand.
+1 -1
View File
@@ -227,4 +227,4 @@ Xiaomi は TTS モデルに RPM/TPM 制限を設けています。公開デプ
本プロジェクトは [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html) で公開されています。
コントリビューションを歓迎します!外部コントリビュータは、PR をマージする前に一度だけ《貢献者ライセンス契約》(CLA)に署名する必要があります —— [CONTRIBUTING.md](CONTRIBUTING.md) および [CLA.md](CLA.md) を参照してください。
コントリビューションを歓迎します!外部コントリビュータは、PR をマージする前に一度だけ《貢献者ライセンス契約》(CLA)に署名する必要があります —— [CONTRIBUTING.md](CONTRIBUTING.md) および [CLA.md](CLA.md) を参照してください。PR を開いた後、PR のコメントで署名できます。
+1 -1
View File
@@ -239,4 +239,4 @@ InfiPlot 会与四类模型供应商通信。**文本(Text)和视觉(Visio
本项目基于 [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html) 协议开源。
欢迎贡献!外部贡献者在提交 PR 前,需要签署一次我们的《贡献者许可协议》(CLA)——详见 [CONTRIBUTING.md](CONTRIBUTING.md) 与 [CLA.md](CLA.md)[中文参考译文](CLA.zh.md))。
欢迎贡献!外部贡献者在 PR 合并前,需要签署一次我们的《贡献者许可协议》(CLA)——详见 [CONTRIBUTING.md](CONTRIBUTING.md) 与 [CLA.md](CLA.md)[中文参考译文](CLA.zh.md))。