366b84e2fb
Addresses pr-agent review on PR #93 (the two CLA-specific items). The other 9 suggestions targeted code carried in by the sync (middleware, gender-x) and are out of scope here. - uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name) + uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned) The action's real home is contributor-assistant/github-action; the 'cla-assistant-action' path we had resolves to 404 and may itself be why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a movable tag can't slip a malicious update under pull_request_target + a writable PAT. The repo is archived but v2.6.1 still functions. - Add a guard step that FAILS the job on the canonical repo (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a missing token silently skipped the job and it 'succeeded' — dangerous once this becomes a required status check (a lost/expired token would let CLA enforcement degrade invisibly). Forks still skip cleanly.