Addresses pr-agent review on PR #93 (the two CLA-specific items). The
other 9 suggestions targeted code carried in by the sync (middleware,
gender-x) and are out of scope here.
- uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name)
+ uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned)
The action's real home is contributor-assistant/github-action; the
'cla-assistant-action' path we had resolves to 404 and may itself be
why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a
movable tag can't slip a malicious update under pull_request_target +
a writable PAT. The repo is archived but v2.6.1 still functions.
- Add a guard step that FAILS the job on the canonical repo
(zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a
missing token silently skipped the job and it 'succeeded' — dangerous
once this becomes a required status check (a lost/expired token would
let CLA enforcement degrade invisibly). Forks still skip cleanly.
Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).
- cla.yml: move 'token configured?' check into job env and put the whole
step-level if inside a single ${{ }} so && / || are evaluated as a
boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
(used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
before opening the PR — matches the actual CONTRIBUTING flow
Introduce a Contributor License Agreement (CLA) so external contributions
can be licensed under AGPL-3.0 and any other terms (incl. closed-source),
keeping the AGPL-3.0 codebase usable in closed-source projects.
- CLA.md: authoritative English CLA (ICLA + employer authorization, v1.0)
- CLA.zh.md: non-binding Chinese reference translation
- CONTRIBUTING.md: bilingual contributing guide, points to CLA
- .github/workflows/cla.yml: self-hosted cla-assistant-action that records
signatures into cla-signatures/version-1.json; exempts maintainers & bots
via allowlist; skips when CLA_BOT_TOKEN is unset
- .github/PULL_REQUEST_TEMPLATE.md: guides contributors to sign
- README.{md,en.md,ja.md}: add License & contributing footer
- app/terms: note CLA requirement in the IP section
Enforcement requires repo-level setup (PAT secret + branch protection)
documented in cla.yml; not covered by this commit.
Collaborators' hand-written PR titles and descriptions were being
overwritten by the automatic /describe run. Disable auto_describe on the
Claude job and set generate_ai_title = false so human-authored metadata
is preserved. Manual /describe via PR comment still works.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- split per-model banners so two model jobs no longer overwrite each other
- raise reviewer findings cap to 8, broaden /improve to readability/cleanup
- enable dual-publishing for high-score suggestions (inline annotations)
- switch Claude model from opus-4-7 to opus-4-6 (fallback sonnet-4-6)
- raise reasoning_effort to high, response_language to zh-CN
- drop two dead config keys silently ignored by upstream schema
- add best_practices.md with 6 project-specific invariants for /improve
Restrict PR Agent workflow to trusted collaborators on PR comments only,
fix UTF-8 byte counting in gallery-pack, correct portrait-to-landscape
fallback orientation, track inserted freeform beats in visitedBeatIds,
allow clearing stored TTS key, and guard empty-string fuzzy match in
style selector.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add multi-platform Docker image build (amd64 + arm64) with GitHub Actions
CI that pushes to GHCR on every merge to main. Users can self-host with
a single `docker compose up -d` command.
- Dockerfile: multi-stage build with Next.js standalone output (~150-200MB)
- docker-compose.yml: one-command self-hosted deployment
- .github/workflows/docker.yml: CI workflow with QEMU cross-compilation
- next.config.ts: conditional `output: "standalone"` via BUILD_STANDALONE env
- README (zh/en/ja): restructure deploy section to include Docker option
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>