Commit Graph

3 Commits

Author SHA1 Message Date
yuanzonghao 366b84e2fb chore(repo): harden CLA workflow — pin SHA, fix action repo, fail on missing token
Addresses pr-agent review on PR #93 (the two CLA-specific items). The
other 9 suggestions targeted code carried in by the sync (middleware,
gender-x) and are out of scope here.

- uses: contributor-assistant/cla-assistant-action@v2.6.1  (404 — wrong name)
+ uses: contributor-assistant/github-action@ca4a40a7...       (canonical, pinned)

  The action's real home is contributor-assistant/github-action; the
  'cla-assistant-action' path we had resolves to 404 and may itself be
  why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a
  movable tag can't slip a malicious update under pull_request_target +
  a writable PAT. The repo is archived but v2.6.1 still functions.

- Add a guard step that FAILS the job on the canonical repo
  (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a
  missing token silently skipped the job and it 'succeeded' — dangerous
  once this becomes a required status check (a lost/expired token would
  let CLA enforcement degrade invisibly). Forks still skip cleanly.
2026-06-18 21:59:19 +08:00
yuanzonghao 6ee74a0680 chore(repo): address pr-agent review on CLA workflow
Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).

- cla.yml: move 'token configured?' check into job env and put the whole
  step-level if inside a single ${{ }} so && / || are evaluated as a
  boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
  issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
  bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
  (used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
  before opening the PR — matches the actual CONTRIBUTING flow
2026-06-17 19:49:48 +08:00
yuanzonghao 2b0b9c6f8d feat(repo): add CLA mechanism for external contributors
Introduce a Contributor License Agreement (CLA) so external contributions
can be licensed under AGPL-3.0 and any other terms (incl. closed-source),
keeping the AGPL-3.0 codebase usable in closed-source projects.

- CLA.md: authoritative English CLA (ICLA + employer authorization, v1.0)
- CLA.zh.md: non-binding Chinese reference translation
- CONTRIBUTING.md: bilingual contributing guide, points to CLA
- .github/workflows/cla.yml: self-hosted cla-assistant-action that records
  signatures into cla-signatures/version-1.json; exempts maintainers & bots
  via allowlist; skips when CLA_BOT_TOKEN is unset
- .github/PULL_REQUEST_TEMPLATE.md: guides contributors to sign
- README.{md,en.md,ja.md}: add License & contributing footer
- app/terms: note CLA requirement in the IP section

Enforcement requires repo-level setup (PAT secret + branch protection)
documented in cla.yml; not covered by this commit.
2026-06-17 12:23:46 +08:00