chore(repo): address pr-agent review on CLA workflow
Address the valid points from pr-agent on PR #89, skip the inaccurate ones (e.g. the $contributorName placeholder it suggested does not exist in cla-assistant-action; create-file-commit-message fires before any signer exists). - cla.yml: move 'token configured?' check into job env and put the whole step-level if inside a single ${{ }} so && / || are evaluated as a boolean (step-level if cannot safely reference secrets.* directly) - cla.yml: declare minimal explicit permissions (contents/pull-requests/ issues/statuses) — this workflow runs on pull_request_target with a token - cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit bot + maintainer accounts only - cla.yml: clean up the stray trailing '@' in create-file-commit-message (used once, at signature-store creation, before any signer exists) - README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not before opening the PR — matches the actual CONTRIBUTING flow
This commit is contained in:
+22
-11
@@ -16,20 +16,31 @@ on:
|
||||
pull_request_target:
|
||||
types: [opened, closed, synchronize]
|
||||
|
||||
# Minimal explicit permissions: this workflow runs on pull_request_target and
|
||||
# issues a token, so do not rely on repo defaults. `statuses: write` is what the
|
||||
# branch-protection required check (cla/cla-assistant.yml) reports against.
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
issues: write
|
||||
statuses: write
|
||||
|
||||
jobs:
|
||||
CLAAssistant:
|
||||
runs-on: ubuntu-latest
|
||||
# Resolve "is the token configured?" once at job level. Step-level `if`
|
||||
# cannot safely reference `secrets.*` (it may be empty or elided), so we
|
||||
# materialize it into an env boolean string and test that instead. This is
|
||||
# also what lets forks/renames of this repo skip the job cleanly when no
|
||||
# CLA_BOT_TOKEN is set, instead of failing CI.
|
||||
env:
|
||||
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
|
||||
steps:
|
||||
- name: "CLA Assistant"
|
||||
# SKIPPED when no secrets are configured, so forks/renames of this
|
||||
# repo don't fail CI out of the box.
|
||||
if: >
|
||||
${{ secrets.CLA_BOT_TOKEN != '' }} &&
|
||||
(
|
||||
(github.event.comment.body == 'recheckcla' ||
|
||||
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
|
||||
github.event_name == 'pull_request_target'
|
||||
)
|
||||
# SKIPPED when no secrets are configured. Keep the whole predicate
|
||||
# inside a single ${{ }} so && / || are evaluated as a boolean
|
||||
# expression, not string-concatenated.
|
||||
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
|
||||
uses: contributor-assistant/cla-assistant-action@v2.6.1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
@@ -42,10 +53,10 @@ jobs:
|
||||
# Link to the authoritative English CLA. Chinese reference:
|
||||
# https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md
|
||||
path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md"
|
||||
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,*bot,web-flow"
|
||||
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow"
|
||||
block-sharing-crucial-repositories: true
|
||||
|
||||
create-file-commit-message: "docs(cla): record signature for @"
|
||||
create-file-commit-message: "docs(cla): create CLA signature store"
|
||||
custom-notsigned-prcomment: >
|
||||
感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读
|
||||
[CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md)
|
||||
|
||||
Reference in New Issue
Block a user