6ee74a0680
Address the valid points from pr-agent on PR #89, skip the inaccurate ones (e.g. the $contributorName placeholder it suggested does not exist in cla-assistant-action; create-file-commit-message fires before any signer exists). - cla.yml: move 'token configured?' check into job env and put the whole step-level if inside a single ${{ }} so && / || are evaluated as a boolean (step-level if cannot safely reference secrets.* directly) - cla.yml: declare minimal explicit permissions (contents/pull-requests/ issues/statuses) — this workflow runs on pull_request_target with a token - cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit bot + maintainer accounts only - cla.yml: clean up the stray trailing '@' in create-file-commit-message (used once, at signature-store creation, before any signer exists) - README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not before opening the PR — matches the actual CONTRIBUTING flow
75 lines
3.6 KiB
YAML
75 lines
3.6 KiB
YAML
name: "CLA Assistant"
|
||
|
||
# Requires the following GitHub repository secret to be configured:
|
||
# CLA_BOT_TOKEN — a fine-grained Personal Access Token with
|
||
# `Contents: Read and write` (and `Pull requests: Read`) scope on this
|
||
# repository. The GITHUB_TOKEN cannot commit to a protected branch, so a PAT
|
||
# is needed to record signatures into cla-signatures/version-1.json.
|
||
#
|
||
# To actually enforce the CLA, add `cla/cla-assistant.yml:CLAAssistant` (the
|
||
# status check produced by this job) as a required status check in the branch
|
||
# protection rules for `main` and `staging`.
|
||
|
||
on:
|
||
issue_comment:
|
||
types: [created]
|
||
pull_request_target:
|
||
types: [opened, closed, synchronize]
|
||
|
||
# Minimal explicit permissions: this workflow runs on pull_request_target and
|
||
# issues a token, so do not rely on repo defaults. `statuses: write` is what the
|
||
# branch-protection required check (cla/cla-assistant.yml) reports against.
|
||
permissions:
|
||
contents: read
|
||
pull-requests: read
|
||
issues: write
|
||
statuses: write
|
||
|
||
jobs:
|
||
CLAAssistant:
|
||
runs-on: ubuntu-latest
|
||
# Resolve "is the token configured?" once at job level. Step-level `if`
|
||
# cannot safely reference `secrets.*` (it may be empty or elided), so we
|
||
# materialize it into an env boolean string and test that instead. This is
|
||
# also what lets forks/renames of this repo skip the job cleanly when no
|
||
# CLA_BOT_TOKEN is set, instead of failing CI.
|
||
env:
|
||
HAS_CLA_BOT_TOKEN: ${{ secrets.CLA_BOT_TOKEN != '' }}
|
||
steps:
|
||
- name: "CLA Assistant"
|
||
# SKIPPED when no secrets are configured. Keep the whole predicate
|
||
# inside a single ${{ }} so && / || are evaluated as a boolean
|
||
# expression, not string-concatenated.
|
||
if: ${{ env.HAS_CLA_BOT_TOKEN == 'true' && ((github.event_name == 'issue_comment' && (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target') }}
|
||
uses: contributor-assistant/cla-assistant-action@v2.6.1
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_BOT_TOKEN }}
|
||
with:
|
||
# Signatures are stored in-repo (self-hosted mode); version-N lets us
|
||
# roll the CLA text forward by bumping the path and re-collecting.
|
||
path-to-signatures: "cla-signatures/version-1.json"
|
||
branch: "main"
|
||
# Link to the authoritative English CLA. Chinese reference:
|
||
# https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md
|
||
path-to-cla-document: "https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md"
|
||
allowlist: "github-actions[bot],dependabot[bot],zonghaoyuan,web-flow"
|
||
block-sharing-crucial-repositories: true
|
||
|
||
create-file-commit-message: "docs(cla): create CLA signature store"
|
||
custom-notsigned-prcomment: >
|
||
感谢你的 PR!在合并之前,请先签署我们的《贡献者许可协议》(CLA)。阅读
|
||
[CLA.md](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.md)
|
||
([中文参考译文](https://github.com/zonghaoyuan/infiplot/blob/staging/CLA.zh.md))后,
|
||
在本 PR 中回复以下内容即视为签署:
|
||
|
||
|
||
```
|
||
I have read the CLA Document and I hereby sign the CLA
|
||
```
|
||
|
||
|
||
你只需签署一次,之后对 InfiPlot 的所有贡献都受同一协议约束。
|
||
custom-pr-sign-comment: "The pull request signer accepted the CLA."
|
||
custom-allsigned-prcomment: "🎉 All contributors have signed the CLA."
|