From 6ee74a06806f76eb018805069379c36033d7f195 Mon Sep 17 00:00:00 2001 From: yuanzonghao Date: Wed, 17 Jun 2026 19:49:48 +0800 Subject: [PATCH] chore(repo): address pr-agent review on CLA workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address the valid points from pr-agent on PR #89, skip the inaccurate ones (e.g. the $contributorName placeholder it suggested does not exist in cla-assistant-action; create-file-commit-message fires before any signer exists). - cla.yml: move 'token configured?' check into job env and put the whole step-level if inside a single ${{ }} so && / || are evaluated as a boolean (step-level if cannot safely reference secrets.* directly) - cla.yml: declare minimal explicit permissions (contents/pull-requests/ issues/statuses) — this workflow runs on pull_request_target with a token - cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit bot + maintainer accounts only - cla.yml: clean up the stray trailing '@' in create-file-commit-message (used once, at signature-store creation, before any signer exists) - README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not before opening the PR — matches the actual CONTRIBUTING flow --- .github/workflows/cla.yml | 33 ++++++++++++++++++++++----------- README.en.md | 2 +- README.ja.md | 2 +- README.md | 2 +- 4 files changed, 25 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index b5cba3e..c212ae8 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -16,20 +16,31 @@ on: pull_request_target: types: [opened, closed, synchronize] +# Minimal explicit permissions: this workflow runs on pull_request_target and +# issues a token, so do not rely on repo defaults. `statuses: write` is what the +# branch-protection required check (cla/cla-assistant.yml) reports against. +permissions: + contents: read + pull-requests: read + issues: write + statuses: write + jobs: CLAAssistant: runs-on: ubuntu-latest + # Resolve "is the token configured?" once at job level. Step-level `if` + # cannot safely reference `secrets.*` (it may be empty or elided), so we + # materialize it into an env boolean string and test that instead. This is + # also what lets forks/renames of this repo skip the job cleanly when no + # CLA_BOT_TOKEN is set, instead of failing CI. + env: + HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }} steps: - name: "CLA Assistant" - # SKIPPED when no secrets are configured, so forks/renames of this - # repo don't fail CI out of the box. - if: > - ${{ secrets.CLA_BOT_TOKEN != '' }} && - ( - (github.event.comment.body == 'recheckcla' || - github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || - github.event_name == 'pull_request_target' - ) + # SKIPPED when no secrets are configured. Keep the whole predicate + # inside a single ${{ }} so && / || are evaluated as a boolean + # expression, not string-concatenated. + if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }} uses: contributor-assistant/cla-assistant-action@v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -42,10 +53,10 @@ jobs: # Link to the authoritative English CLA. Chinese reference: # https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md" - allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,*bot,web-flow" + allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow" block-sharing-crucial-repositories: true - create-file-commit-message: "docs(cla): record signature for @" + create-file-commit-message: "docs(cla): create CLA signature store" custom-notsigned-prcomment: > 感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读 [CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md) diff --git a/README.en.md b/README.en.md index 10de7c0..a4a78f6 100644 --- a/README.en.md +++ b/README.en.md @@ -228,4 +228,4 @@ See the [Bring-your-own voice Key guide](docs/xiaomi-tts-key.md) for how to obta This project is open-sourced under [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html). -Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md). +Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md). Sign it directly in the PR via a comment after opening it; no separate step needed beforehand. diff --git a/README.ja.md b/README.ja.md index 7d69a88..eba8fbe 100644 --- a/README.ja.md +++ b/README.ja.md @@ -227,4 +227,4 @@ Xiaomi は TTS モデルに RPM/TPM 制限を設けています。公開デプ 本プロジェクトは [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html) で公開されています。 -コントリビューションを歓迎します!外部コントリビュータは、PR をマージする前に一度だけ《貢献者ライセンス契約》(CLA)に署名する必要があります —— [CONTRIBUTING.md](CONTRIBUTING.md) および [CLA.md](CLA.md) を参照してください。 +コントリビューションを歓迎します!外部コントリビュータは、PR をマージする前に一度だけ《貢献者ライセンス契約》(CLA)に署名する必要があります —— [CONTRIBUTING.md](CONTRIBUTING.md) および [CLA.md](CLA.md) を参照してください。PR を開いた後、PR のコメントで署名できます。 diff --git a/README.md b/README.md index bb40108..79aaaea 100644 --- a/README.md +++ b/README.md @@ -239,4 +239,4 @@ InfiPlot 会与四类模型供应商通信。**文本(Text)和视觉(Visio 本项目基于 [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html) 协议开源。 -欢迎贡献!外部贡献者在提交 PR 前,需要先签署一次我们的《贡献者许可协议》(CLA)——详见 [CONTRIBUTING.md](CONTRIBUTING.md) 与 [CLA.md](CLA.md)([中文参考译文](CLA.zh.md))。 +欢迎贡献!外部贡献者在 PR 合并前,需要签署一次我们的《贡献者许可协议》(CLA)——详见 [CONTRIBUTING.md](CONTRIBUTING.md) 与 [CLA.md](CLA.md)([中文参考译文](CLA.zh.md))。