Files
infiplot-web/.github
yuanzonghao 366b84e2fb chore(repo): harden CLA workflow — pin SHA, fix action repo, fail on missing token
Addresses pr-agent review on PR #93 (the two CLA-specific items). The
other 9 suggestions targeted code carried in by the sync (middleware,
gender-x) and are out of scope here.

- uses: contributor-assistant/cla-assistant-action@v2.6.1  (404 — wrong name)
+ uses: contributor-assistant/github-action@ca4a40a7...       (canonical, pinned)

  The action's real home is contributor-assistant/github-action; the
  'cla-assistant-action' path we had resolves to 404 and may itself be
  why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a
  movable tag can't slip a malicious update under pull_request_target +
  a writable PAT. The repo is archived but v2.6.1 still functions.

- Add a guard step that FAILS the job on the canonical repo
  (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a
  missing token silently skipped the job and it 'succeeded' — dangerous
  once this becomes a required status check (a lost/expired token would
  let CLA enforcement degrade invisibly). Forks still skip cleanly.
2026-06-18 21:59:19 +08:00
..