Conversation
📝 WalkthroughWalkthroughAdds a Contribution License Agreement (CLA) document, a GitHub Actions workflow to verify/signature status on PRs and issue comments, and updates CONTRIBUTING.md to require signing the CLA. Changes
Sequence Diagram(s)sequenceDiagram
participant Contributor as "Contributor"
participant GitHub as "GitHub (Events)"
participant Runner as "Actions Runner\n(ubuntu-latest)"
participant Action as "contributor-assistant\nGitHub Action"
participant Repo as "Repository\n(CLA.md, cla-signatures.json)"
Contributor->>GitHub: submit PR / comment ("recheck" or "I have read the CLA...")
GitHub->>Runner: trigger workflow (pull_request_target or issue_comment)
Runner->>Action: invoke contributor-assistant with inputs & GITHUB_TOKEN
Action->>Repo: read `CLA.md` and signatures file
Action->>Repo: post status / comment on PR (signed/unsigned)
Repo-->>Contributor: update PR status / comment
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2830 +/- ##
==========================================
- Coverage 82.63% 82.61% -0.01%
==========================================
Files 74 74
Lines 8126 8154 +28
==========================================
+ Hits 6714 6736 +22
- Misses 893 897 +4
- Partials 519 521 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cla.yml:
- Around line 9-13: The workflow currently grants overly broad permissions by
setting "actions: write"; remove the "actions: write" entry (or change it to
"actions: read" only if needed) within the permissions block so the workflow
token has least privilege; ensure the remaining keys ("contents",
"pull-requests", "statuses") retain their intended values and verify no code in
this workflow requires action-level write access before committing the change.
- Around line 26-28: The workflow's CLA configuration has a branch mismatch: the
path-to-document URL points to refs/heads/master but the branch key is set to
'main', which can break signature persistence; update the branch value under the
CLA workflow (the branch: entry in .github/workflows/cla.yml) to match the
repository's default branch used in the URL (change 'main' to 'master') so both
path-to-document and branch are consistent.
- Line 20: The workflow condition currently allows issue comments to trigger the
job whenever comment body matches; update the if expression to ensure
issue_comment events are from pull requests by requiring github.event_name ==
'issue_comment' && github.event.issue.pull_request != null (or truthy) before
evaluating github.event.comment.body, e.g. change the left side to
(github.event_name == 'issue_comment' && github.event.issue.pull_request != null
&& (github.event.comment.body == 'recheck' || github.event.comment.body == 'I
have read the CLA Document and I hereby sign the CLA')) || github.event_name ==
'pull_request_target' so only PR comments trigger the job while preserving
pull_request_target behavior.
- Line 21: Replace the mutable tag reference in the workflow line "uses:
contributor-assistant/github-action@v2.6.1" with the action pinned to the exact
commit SHA (e.g., "uses: contributor-assistant/github-action@<commit-sha>");
resolve the tag v2.6.1 to its corresponding commit SHA (using the provided
script or GitHub API) and update the .github/workflows/cla.yml entry so the
workflow uses the immutable commit SHA instead of the version tag.
In `@CLA.md`:
- Line 3: The opening clause contains a grammatical error: change the phrase
"You provides Contributions" to "You provide Contributions" in the sentence that
reads 'the individual set forth in the signature block (“You”) ... and sets
forth the terms pursuant to which You provides Contributions to the Company.'
Update that exact wording so the subject-verb agreement is correct while
preserving the surrounding legal phrasing (keep "the individual set forth in the
signature block (“You”)" and "sets forth the terms pursuant to which" intact).
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 27b0b910-4328-43e5-8a6c-40e552f2370d
📒 Files selected for processing (3)
.github/workflows/cla.ymlCLA.mdCONTRIBUTING.md
Comment on lines
+9
to
+13
| permissions: | ||
| actions: write | ||
| contents: write # this can be 'read' if the signatures are in remote repository | ||
| pull-requests: write | ||
| statuses: write |
There was a problem hiding this comment.
Reduce workflow token permissions to least privilege.
actions: write is broader than needed for this job and should be removed unless there is a demonstrated requirement.
🔐 Suggested patch
permissions:
- actions: write
contents: write # this can be 'read' if the signatures are in remote repository
pull-requests: write
statuses: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/cla.yml around lines 9 - 13, The workflow currently grants
overly broad permissions by setting "actions: write"; remove the "actions:
write" entry (or change it to "actions: read" only if needed) within the
permissions block so the workflow token has least privilege; ensure the
remaining keys ("contents", "pull-requests", "statuses") retain their intended
values and verify no code in this workflow requires action-level write access
before committing the change.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "CLA Assistant" | ||
| if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' |
There was a problem hiding this comment.
Gate issue_comment execution to pull requests only.
At Line 20, the condition can run on regular issue comments if body matches. Add a PR check to avoid unnecessary privileged runs.
🧩 Suggested patch
- if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+ if: >
+ (github.event_name == 'issue_comment' &&
+ github.event.issue.pull_request &&
+ (github.event.comment.body == 'recheck' ||
+ github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'))
+ || github.event_name == 'pull_request_target'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' | |
| if: > | |
| (github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request && | |
| (github.event.comment.body == 'recheck' || | |
| github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) | |
| || github.event_name == 'pull_request_target' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/cla.yml at line 20, The workflow condition currently
allows issue comments to trigger the job whenever comment body matches; update
the if expression to ensure issue_comment events are from pull requests by
requiring github.event_name == 'issue_comment' &&
github.event.issue.pull_request != null (or truthy) before evaluating
github.event.comment.body, e.g. change the left side to (github.event_name ==
'issue_comment' && github.event.issue.pull_request != null &&
(github.event.comment.body == 'recheck' || github.event.comment.body == 'I have
read the CLA Document and I hereby sign the CLA')) || github.event_name ==
'pull_request_target' so only PR comments trigger the job while preserving
pull_request_target behavior.
| @@ -0,0 +1,31 @@ | |||
| **INVERSOFT, LLC CONTRIBUTION LICENSE AGREEMENT** | |||
|
|
|||
| This Contribution License Agreement (the “**CLA**”) is between the individual set forth in the signature block (“**You**”) and Inversoft, LLC., dba FusionAuth and Permify (the “**Company**”), effective as of the date of Your signature and sets forth the terms pursuant to which You provides Contributions to the Company. | |||
There was a problem hiding this comment.
Fix grammatical error in the opening clause.
At Line 3, You provides Contributions should be You provide Contributions to avoid ambiguity in legal wording.
✏️ Suggested patch
-This Contribution License Agreement (the “**CLA**”) is between the individual set forth in the signature block (“**You**”) and Inversoft, LLC., dba FusionAuth and Permify (the “**Company**”), effective as of the date of Your signature and sets forth the terms pursuant to which You provides Contributions to the Company.
+This Contribution License Agreement (the “**CLA**”) is between the individual set forth in the signature block (“**You**”) and Inversoft, LLC., dba FusionAuth and Permify (the “**Company**”), effective as of the date of Your signature and sets forth the terms pursuant to which You provide Contributions to the Company. 📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| This Contribution License Agreement (the “**CLA**”) is between the individual set forth in the signature block (“**You**”) and Inversoft, LLC., dba FusionAuth and Permify (the “**Company**”), effective as of the date of Your signature and sets forth the terms pursuant to which You provides Contributions to the Company. | |
| This Contribution License Agreement (the "**CLA**") is between the individual set forth in the signature block ("**You**") and Inversoft, LLC., dba FusionAuth and Permify (the "**Company**"), effective as of the date of Your signature and sets forth the terms pursuant to which You provide Contributions to the Company. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLA.md` at line 3, The opening clause contains a grammatical error: change
the phrase "You provides Contributions" to "You provide Contributions" in the
sentence that reads 'the individual set forth in the signature block (“You”) ...
and sets forth the terms pursuant to which You provides Contributions to the
Company.' Update that exact wording so the subject-verb agreement is correct
while preserving the surrounding legal phrasing (keep "the individual set forth
in the signature block (“You”)" and "sets forth the terms pursuant to which"
intact).
mooreds
requested changes
Mar 22, 2026
| 1. You are legally entitled to grant the above license, and if Your employer(s) has rights to intellectual property that You create that includes Your Contributions, then You represent and warrant that You have received permission to make Contributions on behalf of that employer, that Your employer has waived such rights for Your Contributions to the Company, or that Your employer has executed a separate CLA with the Company; | ||
|
|
||
| 2. Each of Your Contributions is Your original creation (see section 6 for submissions on behalf of others); and | ||
|
|
Contributor
Author
There was a problem hiding this comment.
Are you referring to the indentations on this?
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cla.yml:
- Line 29: Update the allowlist entry so it no longer contains the placeholder
"user1" and explicitly exempts Dependabot; locate the allowlist key (allowlist:
user1,bot*) and replace the value to remove the placeholder and include
Dependabot (e.g. use dependabot[bot] or a broader dependabot* pattern) and
optionally retain other bot patterns as needed so Dependabot PRs are exempt from
CLA checks.
| path-to-document: 'https://raw.githubusercontent.com/Permify/permify/refs/heads/master/CLA.md' # e.g. a CLA or a DCO document | ||
| # branch should not be protected | ||
| branch: 'master' | ||
| allowlist: user1,bot* No newline at end of file |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify that contributor-assistant/github-action supports the glob pattern syntax for allowlist
# Check the action's README or documentation for allowlist format
gh api repos/contributor-assistant/github-action/contents/README.md --jq '.content' | base64 -d | grep -A 20 -i "allowlist"Repository: Permify/permify
Length of output: 111
🏁 Script executed:
cat .github/workflows/cla.ymlRepository: Permify/permify
Length of output: 1213
🏁 Script executed:
ls -la .github/ | grep -E "(dependabot|cla)"Repository: Permify/permify
Length of output: 122
🏁 Script executed:
cat -n .github/dependabot.yml 2>/dev/null || echo "dependabot.yml not found"Repository: Permify/permify
Length of output: 1325
🏁 Script executed:
# Search for any documentation or comments about CLA action in the repository
rg "contributor-assistant" --type yml -A 5 -B 5Repository: Permify/permify
Length of output: 86
🏁 Script executed:
# Search for any comments or documentation in the repository about the CLA action
rg "contributor-assistant" -A 10 -B 5 --type yamlRepository: Permify/permify
Length of output: 41
🏁 Script executed:
# Look for any issue discussions or documentation files mentioning CLA or allowlist
find . -type f \( -name "*.md" -o -name "*.txt" \) | head -20 | xargs rg -l "allowlist|CLA|contributor-assistant" 2>/dev/null || echo "No matches found"Repository: Permify/permify
Length of output: 85
🌐 Web query:
contributor-assistant/github-action allowlist pattern syntax documentation
💡 Result:
The contributor-assistant/github-action (CLA Assistant Lite) uses an allowlist input to specify GitHub users or bots exempt from signing the CLA. The syntax is a comma-separated string of usernames or patterns. Examples from official documentation: - Specific users and bots: user1,user2,dependabot[bot],greenkeeper[bot] - Wildcard for all bots: bot* Usage in workflow YAML: uses: contributor-assistant/github-action@v2.6.1 with: allowlist: user1,bot* This skips CLA checks for matching users/bots. Default is empty string (no exemptions). Wildcards like * match username suffixes/prefixes, e.g., bot* for any username starting with "bot".
Citations:
- 1: https://github.com/contributor-assistant/github-action/blob/master/action.yml
- 2: https://github.com/contributor-assistant/github-action/tree/v2.0.0-alpha
- 3: https://github.com/contributor-assistant/github-action
- 4: https://github.com/marketplace/actions/cla-assistant-lite
- 5: https://raw.githubusercontent.com/contributor-assistant/github-action/v2.6.1/action.yml
Fix allowlist pattern to exempt Dependabot from CLA checks.
The current allowlist user1,bot* has two issues:
- Placeholder value:
user1appears to be example text that should be removed or replaced with actual GitHub usernames. - Dependabot won't be exempted: The pattern
bot*matches usernames starting with "bot", but Dependabot's account isdependabot[bot], which starts with "dependabot" and won't match. This will cause CLA checks to fail on automated dependency update PRs.
Since Dependabot is actively configured across multiple ecosystems in dependabot.yml, it should be explicitly exempted.
Suggested fix
- allowlist: user1,bot*
+ allowlist: dependabot[bot],bot*Or to cover more bot patterns:
- allowlist: user1,bot*
+ allowlist: dependabot[bot],*[bot]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/cla.yml at line 29, Update the allowlist entry so it no
longer contains the placeholder "user1" and explicitly exempts Dependabot;
locate the allowlist key (allowlist: user1,bot*) and replace the value to remove
the placeholder and include Dependabot (e.g. use dependabot[bot] or a broader
dependabot* pattern) and optionally retain other bot patterns as needed so
Dependabot PRs are exempt from CLA checks.
brob
changed the title
This was referenced Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds the CLA as Markdown in the repo and adds a Workflow that can be used for having folks "sign" it. That then adds them to a signature file that can be kept and checked.
See docs here
Summary by CodeRabbit