Co-authored commits from Claude Code were failing the CLA check
because the bot email had not signed the CLA. Whitelist it so
AI-assisted PRs pass without requiring --admin merge.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CLA bot run on PR #99 failed with 'Resource not accessible by
integration' because it tried to commit cla-signatures/version-1.json
to the branch-protection-protected main branch. The CLA Assistant
action cannot push to protected branches (contributor-assistant/
github-action#150); PAT identity is not granted bypass even though
the PAT owner is repo admin.
Fix: store signatures on a dedicated orphan branch 'cla-signatures'
that has no protection rules, so the PAT can commit freely. This is
the workaround recommended by the action maintainers and the dominant
community solution.
Also brings the staging copy of cla.yml up to parity with main (the
guard step + SHA pin from PR #93 had not been back-merged to staging):
- Add the 'fail on missing CLA_BOT_TOKEN' guard step
- Pin action to contributor-assistant/github-action@ca4a40a7... (v2.6.1);
the old 'cla-assistant-action' path 404s and was a second reason the
bot never fired
Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).
- cla.yml: move 'token configured?' check into job env and put the whole
step-level if inside a single ${{ }} so && / || are evaluated as a
boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
(used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
before opening the PR — matches the actual CONTRIBUTING flow
Introduce a Contributor License Agreement (CLA) so external contributions
can be licensed under AGPL-3.0 and any other terms (incl. closed-source),
keeping the AGPL-3.0 codebase usable in closed-source projects.
- CLA.md: authoritative English CLA (ICLA + employer authorization, v1.0)
- CLA.zh.md: non-binding Chinese reference translation
- CONTRIBUTING.md: bilingual contributing guide, points to CLA
- .github/workflows/cla.yml: self-hosted cla-assistant-action that records
signatures into cla-signatures/version-1.json; exempts maintainers & bots
via allowlist; skips when CLA_BOT_TOKEN is unset
- .github/PULL_REQUEST_TEMPLATE.md: guides contributors to sign
- README.{md,en.md,ja.md}: add License & contributing footer
- app/terms: note CLA requirement in the IP section
Enforcement requires repo-level setup (PAT secret + branch protection)
documented in cla.yml; not covered by this commit.