Skip to content

Merge dev into stable: CLA workflow update #3017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aconite33 merged 7 commits into from
Apr 1, 2026
+46 −17
Merged

Merge dev into stable: CLA workflow update #3017

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1df86d2
[create-pull-request] automated change
TheTechromancer Mar 17, 2026
ddd5d16
Merge pull request #2973 from blacklanternsecurity/update-docs
liquidsec Mar 23, 2026
648ce4e
fix CLA workflow to properly skip bots and check all committers
aconite33 Apr 1, 2026
83833e7
drop unnecessary actions:write and contents:write permissions
aconite33 Apr 1, 2026
de4f04b
Merge pull request #3013 from blacklanternsecurity/fix-cla-bot-skip
aconite33 Apr 1, 2026
649e32e
Merge remote-tracking branch 'origin/stable' into merge-stable-into-dev
aconite33 Apr 1, 2026
fde791c
Merge pull request #3016 from blacklanternsecurity/merge-stable-into-dev
aconite33 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 44 additions & 15 deletions .github/workflows/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ on:
types: [opened, closed, synchronize]

permissions:
actions: write
contents: write
pull-requests: write
statuses: write

Expand All @@ -23,36 +21,67 @@ jobs:
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: blacklanternsecurity

- name: Check org membership
id: membership
- name: Check all committers against org and allowlist
id: cla-check
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
AUTHOR="${{ github.event.pull_request.user.login }}"
PR_NUM="${{ github.event.pull_request.number }}"
else
PR_NUM="${{ github.event.issue.number }}"
AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null)
fi
if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then
echo "is_member=true" >> "$GITHUB_OUTPUT"
else
echo "is_member=false" >> "$GITHUB_OUTPUT"
fi

- name: Skip CLA for org members
if: steps.membership.outputs.is_member == 'true' && github.event_name == 'pull_request_target'
COMMITTERS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM/commits" --paginate --jq '.[].author.login' | sort -u)
ALL_EXEMPT=true

for LOGIN in $COMMITTERS; do
# treat commits with no associated GitHub login as non-exempt
if [ -z "$LOGIN" ] || [ "$LOGIN" = "null" ]; then
echo "Unknown committer (no GitHub login) — not exempt"
ALL_EXEMPT=false
break
fi

EXEMPT=false

# check if account type is Bot (GitHub App accounts)
AUTHOR_TYPE=$(gh api "users/${LOGIN}" --jq '.type' 2>/dev/null || echo "Unknown")
if [ "$AUTHOR_TYPE" = "Bot" ]; then
echo "$LOGIN is a Bot account — exempt"
EXEMPT=true
fi

# check org membership
if [ "$EXEMPT" = "false" ]; then
if gh api "orgs/blacklanternsecurity/members/$LOGIN" > /dev/null 2>&1; then
echo "$LOGIN is an org member — exempt"
EXEMPT=true
fi
fi

if [ "$EXEMPT" = "false" ]; then
echo "$LOGIN is not exempt — CLA required"
ALL_EXEMPT=false
break
fi
done

echo "all_exempt=$ALL_EXEMPT" >> "$GITHUB_OUTPUT"

- name: Skip CLA when all committers are exempt
if: steps.cla-check.outputs.all_exempt == 'true' && github.event_name == 'pull_request_target'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
-f state=success \
-f context="CLAAssistant" \
-f description="CLA check skipped — author is an org member"
-f description="CLA check skipped — all committers are org members or bots"

- name: "CLA Assistant"
if: |
(steps.membership.outputs.is_member != 'true') &&
(steps.cla-check.outputs.all_exempt != 'true') &&
((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
uses: contributor-assistant/github-action@v2.6.1
env:
Expand Down
2 changes: 1 addition & 1 deletion docs/modules/nuclei.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ The Nuclei module has many configuration options:
| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False |
| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | |
| modules.nuclei.templates | str | template or template directory paths to include in the scan | |
| modules.nuclei.version | str | nuclei version | 3.7.0 |
| modules.nuclei.version | str | nuclei version | 3.7.1 |
<!-- END BBOT MODULE OPTIONS NUCLEI -->

Most of these you probably will **NOT** want to change. In particular, we advise against changing the version of Nuclei, as it's possible the latest version won't work right with BBOT.
Expand Down
2 changes: 1 addition & 1 deletion docs/scanning/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,7 @@ In addition to the stated options for each module, the following universal optio
| modules.nuclei.silent | bool | Don't display nuclei's banner or status messages | False |
| modules.nuclei.tags | str | execute a subset of templates that contain the provided tags | |
| modules.nuclei.templates | str | template or template directory paths to include in the scan | |
| modules.nuclei.version | str | nuclei version | 3.7.0 |
| modules.nuclei.version | str | nuclei version | 3.7.1 |
| modules.oauth.try_all | bool | Check for OAUTH/IODC on every subdomain and URL. | False |
| modules.paramminer_cookies.recycle_words | bool | Attempt to use words found during the scan on all other endpoints | False |
| modules.paramminer_cookies.skip_boring_words | bool | Remove commonly uninteresting words from the wordlist | True |
Expand Down
Loading