chore(repo): address pr-agent review on CLA workflow

Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).

- cla.yml: move 'token configured?' check into job env and put the whole
  step-level if inside a single ${{ }} so && / || are evaluated as a
  boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
  issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
  bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
  (used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
  before opening the PR — matches the actual CONTRIBUTING flow
This commit is contained in:
yuanzonghao
2026-06-17 19:49:48 +08:00
parent 2b0b9c6f8d
commit 6ee74a0680
4 changed files with 25 additions and 14 deletions
+1 -1
View File
@@ -228,4 +228,4 @@ See the [Bring-your-own voice Key guide](docs/xiaomi-tts-key.md) for how to obta
This project is open-sourced under [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.html).
Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md).
Contributions are welcome! External contributors must sign our Contributor License Agreement (CLA) once before a PR can be merged — see [CONTRIBUTING.md](CONTRIBUTING.md) and [CLA.md](CLA.md). Sign it directly in the PR via a comment after opening it; no separate step needed beforehand.