366b84e2fb
Addresses pr-agent review on PR #93 (the two CLA-specific items). The other 9 suggestions targeted code carried in by the sync (middleware, gender-x) and are out of scope here. - uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name) + uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned) The action's real home is contributor-assistant/github-action; the 'cla-assistant-action' path we had resolves to 404 and may itself be why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a movable tag can't slip a malicious update under pull_request_target + a writable PAT. The repo is archived but v2.6.1 still functions. - Add a guard step that FAILS the job on the canonical repo (zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a missing token silently skipped the job and it 'succeeded' — dangerous once this becomes a required status check (a lost/expired token would let CLA enforcement degrade invisibly). Forks still skip cleanly.
92 lines
4.8 KiB
YAML
92 lines
4.8 KiB
YAML
name: "CLA Assistant"
|
||
|
||
# Requires the following GitHub repository secret to be configured:
|
||
# CLA_BOT_TOKEN — a fine-grained Personal Access Token with
|
||
# `Contents: Read and write` (and `Pull requests: Read`) scope on this
|
||
# repository. The GITHUB_TOKEN cannot commit to a protected branch, so a PAT
|
||
# is needed to record signatures into cla-signatures/version-1.json.
|
||
#
|
||
# To actually enforce the CLA, add `cla/cla-assistant.yml:CLAAssistant` (the
|
||
# status check produced by this job) as a required status check in the branch
|
||
# protection rules for `main` and `staging`.
|
||
|
||
on:
|
||
issue_comment:
|
||
types: [created]
|
||
pull_request_target:
|
||
types: [opened, closed, synchronize]
|
||
|
||
# Minimal explicit permissions: this workflow runs on pull_request_target and
|
||
# issues a token, so do not rely on repo defaults. `statuses: write` is what the
|
||
# branch-protection required check (cla/cla-assistant.yml) reports against.
|
||
permissions:
|
||
contents: read
|
||
pull-requests: read
|
||
issues: write
|
||
statuses: write
|
||
|
||
jobs:
|
||
CLAAssistant:
|
||
runs-on: ubuntu-latest
|
||
# Resolve "is the token configured?" once at job level. Step-level `if`
|
||
# cannot safely reference `secrets.*` (it may be empty or elided), so we
|
||
# materialize it into an env boolean string and test that instead. This is
|
||
# also what lets forks/renames of this repo skip the job cleanly when no
|
||
# CLA_BOT_TOKEN is set, instead of failing CI.
|
||
env:
|
||
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
|
||
steps:
|
||
# Guard: on the canonical repo, a missing CLA_BOT_TOKEN must FAIL the
|
||
# job rather than silently skipping. Otherwise, once this job becomes a
|
||
# required status check, a lost/expired token would let CLA checks pass
|
||
# green and CLA enforcement would degrade invisibly. Forks (and renamed
|
||
# copies) still skip cleanly below.
|
||
- name: "Fail when CLA token is missing on canonical repo"
|
||
if: ${{ github.repository == 'zonghaoyuan/infiplot' && env.HAS_CLA_BOT_TOKEN != 'true' }}
|
||
run: |
|
||
echo "CLA_BOT_TOKEN is required for CLA enforcement on ${{ github.repository }}." >&2
|
||
echo "Configure it under Settings → Secrets and variables → Actions." >&2
|
||
exit 1
|
||
- name: "CLA Assistant"
|
||
# SKIPPED when no secrets are configured (e.g. on forks). Keep the
|
||
# whole predicate inside a single ${{ }} so && / || are evaluated as a
|
||
# boolean expression, not string-concatenated.
|
||
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
|
||
# Pinned to a full commit SHA (not a movable tag) because this step
|
||
# runs under pull_request_target with a writable PAT. Canonical repo:
|
||
# contributor-assistant/github-action (the action's original home; note
|
||
# `contributor-assistant/cla-assistant-action` does NOT exist and would
|
||
# 404). The repo is archived, but v2.6.1 still functions; re-evaluate
|
||
# only if it breaks against a future GitHub API change.
|
||
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_BOT_TOKEN }}
|
||
with:
|
||
# Signatures are stored in-repo (self-hosted mode); version-N lets us
|
||
# roll the CLA text forward by bumping the path and re-collecting.
|
||
path-to-signatures: "cla-signatures/version-1.json"
|
||
branch: "main"
|
||
# Link to the authoritative English CLA. Chinese reference:
|
||
# https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md
|
||
path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md"
|
||
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow"
|
||
block-sharing-crucial-repositories: true
|
||
|
||
create-file-commit-message: "docs(cla): create CLA signature store"
|
||
custom-notsigned-prcomment: >
|
||
感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读
|
||
[CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md)
|
||
([中文参考译文](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md))后,
|
||
在本 PR 中回复以下内容即视为签署:
|
||
|
||
|
||
```
|
||
I have read the CLA Document and I hereby sign the CLA
|
||
```
|
||
|
||
|
||
你只需签署一次,之后对 InfiPlot 的所有贡献都受同一协议约束。
|
||
custom-pr-sign-comment: "The pull request signer accepted the CLA."
|
||
custom-allsigned-prcomment: "🎉 All contributors have signed the CLA."
|