Skip to content

Commit d57a125

Browse files
aconite33aconite33
authored
Merge pull request #3017 from blacklanternsecurity/dev
Merge dev into stable: CLA workflow update
2 parents 593fe04 + fde791c commit d57a125

3 files changed

Lines changed: 46 additions & 17 deletions

File tree

.github/workflows/cla.yml

Lines changed: 44 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,6 @@ on:
66
types: [opened, closed, synchronize]
77

88
permissions:
9-
actions: write
10-
contents: write
119
pull-requests: write
1210
statuses: write
1311

@@ -23,36 +21,67 @@ jobs:
2321
private-key: ${{ secrets.APP_PRIVATE_KEY }}
2422
owner: blacklanternsecurity
2523

26-
- name: Check org membership
27-
id: membership
24+
- name: Check all committers against org and allowlist
25+
id: cla-check
2826
env:
2927
GH_TOKEN: ${{ steps.app-token.outputs.token }}
3028
run: |
3129
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
32-
AUTHOR="${{ github.event.pull_request.user.login }}"
30+
PR_NUM="${{ github.event.pull_request.number }}"
3331
else
3432
PR_NUM="${{ github.event.issue.number }}"
35-
AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null)
36-
fi
37-
if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then
38-
echo "is_member=true" >> "$GITHUB_OUTPUT"
39-
else
40-
echo "is_member=false" >> "$GITHUB_OUTPUT"
4133
fi
4234
43-
- name: Skip CLA for org members
44-
if: steps.membership.outputs.is_member == 'true' && github.event_name == 'pull_request_target'
35+
COMMITTERS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM/commits" --paginate --jq '.[].author.login' | sort -u)
36+
ALL_EXEMPT=true
37+
38+
for LOGIN in $COMMITTERS; do
39+
# treat commits with no associated GitHub login as non-exempt
40+
if [ -z "$LOGIN" ] || [ "$LOGIN" = "null" ]; then
41+
echo "Unknown committer (no GitHub login) — not exempt"
42+
ALL_EXEMPT=false
43+
break
44+
fi
45+
46+
EXEMPT=false
47+
48+
# check if account type is Bot (GitHub App accounts)
49+
AUTHOR_TYPE=$(gh api "users/${LOGIN}" --jq '.type' 2>/dev/null || echo "Unknown")
50+
if [ "$AUTHOR_TYPE" = "Bot" ]; then
51+
echo "$LOGIN is a Bot account — exempt"
52+
EXEMPT=true
53+
fi
54+
55+
# check org membership
56+
if [ "$EXEMPT" = "false" ]; then
57+
if gh api "orgs/blacklanternsecurity/members/$LOGIN" > /dev/null 2>&1; then
58+
echo "$LOGIN is an org member — exempt"
59+
EXEMPT=true
60+
fi
61+
fi
62+
63+
if [ "$EXEMPT" = "false" ]; then
64+
echo "$LOGIN is not exempt — CLA required"
65+
ALL_EXEMPT=false
66+
break
67+
fi
68+
done
69+
70+
echo "all_exempt=$ALL_EXEMPT" >> "$GITHUB_OUTPUT"
71+
72+
- name: Skip CLA when all committers are exempt
73+
if: steps.cla-check.outputs.all_exempt == 'true' && github.event_name == 'pull_request_target'
4574
env:
4675
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4776
run: |
4877
gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
4978
-f state=success \
5079
-f context="CLAAssistant" \
51-
-f description="CLA check skipped — author is an org member"
80+
-f description="CLA check skipped — all committers are org members or bots"
5281
5382
- name: "CLA Assistant"
5483
if: |
55-
(steps.membership.outputs.is_member != 'true') &&
84+
(steps.cla-check.outputs.all_exempt != 'true') &&
5685
((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
5786
uses: contributor-assistant/github-action@v2.6.1
5887
env:

docs/modules/nuclei.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ The Nuclei module has many configuration options:
5252
| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False |
5353
| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | |
5454
| modules.nuclei.templates | str | template or template directory paths to include in the scan | |
55-
| modules.nuclei.version | str | nuclei version | 3.7.0 |
55+
| modules.nuclei.version | str | nuclei version | 3.7.1 |
5656
<!-- END BBOT MODULE OPTIONS NUCLEI -->
5757
5858
Most of these you probably will **NOT** want to change. In particular, we advise against changing the version of Nuclei, as it's possible the latest version won't work right with BBOT.

docs/scanning/configuration.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -454,7 +454,7 @@ In addition to the stated options for each module, the following universal optio
454454
| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False |
455455
| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | |
456456
| modules.nuclei.templates | str | template or template directory paths to include in the scan | |
457-
| modules.nuclei.version | str | nuclei version | 3.7.0 |
457+
| modules.nuclei.version | str | nuclei version | 3.7.1 |
458458
| modules.oauth.try_all | bool | Check for OAUTH/IODC on every subdomain and URL. | False |
459459
| modules.paramminer_cookies.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False |
460460
| modules.paramminer_cookies.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True |

0 commit comments

Comments
 (0)