chore(repo): address pr-agent review on CLA workflow

Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).

- cla.yml: move 'token configured?' check into job env and put the whole
  step-level if inside a single ${{ }} so && / || are evaluated as a
  boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
  issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
  bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
  (used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
  before opening the PR — matches the actual CONTRIBUTING flow
This commit is contained in:
yuanzonghao
2026-06-17 19:49:48 +08:00
parent 2b0b9c6f8d
commit 6ee74a0680
4 changed files with 25 additions and 14 deletions
+22 -11
View File
@@ -16,20 +16,31 @@ on:
pull_request_target:
types: [opened, closed, synchronize]
# Minimal explicit permissions: this workflow runs on pull_request_target and
# issues a token, so do not rely on repo defaults. `statuses: write` is what the
# branch-protection required check (cla/cla-assistant.yml) reports against.
permissions:
contents: read
pull-requests: read
issues: write
statuses: write
jobs:
CLAAssistant:
runs-on: ubuntu-latest
# Resolve "is the token configured?" once at job level. Step-level `if`
# cannot safely reference `secrets.*` (it may be empty or elided), so we
# materialize it into an env boolean string and test that instead. This is
# also what lets forks/renames of this repo skip the job cleanly when no
# CLA_BOT_TOKEN is set, instead of failing CI.
env:
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
steps:
- name: "CLA Assistant"
# SKIPPED when no secrets are configured, so forks/renames of this
# repo don't fail CI out of the box.
if: >
${{ secrets.CLA_BOT_TOKEN != '' }} &&
(
(github.event.comment.body == 'recheckcla' ||
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
github.event_name == 'pull_request_target'
)
# SKIPPED when no secrets are configured. Keep the whole predicate
# inside a single ${{ }} so && / || are evaluated as a boolean
# expression, not string-concatenated.
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
uses: contributor-assistant/cla-assistant-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -42,10 +53,10 @@ jobs:
# Link to the authoritative English CLA. Chinese reference:
# https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md
path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md"
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,*bot,web-flow"
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow"
block-sharing-crucial-repositories: true
create-file-commit-message: "docs(cla): record signature for @"
create-file-commit-message: "docs(cla): create CLA signature store"
custom-notsigned-prcomment: >
感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读
[CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md)