Simplify CLA gate workflow

clockwork-labs-bot · clockwork-labs-bot · commit 2f4330223252 · 2026-06-14T19:15:26.000-04:00
diff --git a/.github/workflows/cla-gate.yml b/.github/workflows/cla-gate.yml
@@ -1,106 +1,81 @@
 name: CLA Gate
 
-# This workflow publishes a repository-owned commit status named `CLA Gate`.
-# Make `CLA Gate` required instead of requiring CLA Assistant's raw `license/cla`
-# status directly. That lets merge queue entries pass without waiting for CLA
-# Assistant to report on the synthetic merge-group SHA, while pull requests still
-# mirror the real CLA Assistant result.
+# Make this Actions check required instead of requiring CLA Assistant's raw
+# `license/cla` status directly. Merge queue entries pass without waiting for
+# CLA Assistant on the synthetic merge-group SHA, while pull requests wait for
+# the real CLA Assistant result on the PR head SHA.
 #
-# SECURITY: This workflow uses pull_request_target so it can publish commit
-# statuses on external PRs. It must never check out, build, or execute PR code.
+# SECURITY: This workflow uses pull_request_target so it can read statuses on
+# external PRs. It must never check out, build, or execute PR code.
 
 on:
   pull_request_target:
-    types: [opened, reopened]
-  status:
+    types: [opened, reopened, synchronize, ready_for_review]
   merge_group:
 
 permissions:
   contents: read
-  pull-requests: read
-  statuses: write
+  statuses: read
+
+concurrency:
+  group: cla-gate-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
 
 jobs:
-  publish-cla-gate-status:
-    name: CLA status
+  cla-gate:
+    name: CLA Gate
     runs-on: ubuntu-latest
-    if: github.event_name != 'status' || github.event.context == 'license/cla'
 
     steps:
-      - name: Check out trusted base code
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - uses: dsherret/rust-toolchain-file@v1
+      - name: Skip CLA check for merge queue
+        if: ${{ github.event_name == 'merge_group' }}
+        run: echo "Merge group entry; CLA was checked before entering the queue."
 
-      - name: Publish CLA Gate status
-        uses: actions/github-script@v7
+      - name: Wait for CLA Assistant
+        if: ${{ github.event_name == 'pull_request_target' }}
         env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          script: |
-            const { execFileSync } = require("child_process");
-
-            function claStatus(args) {
-              const output = execFileSync("cargo", ["ci", "cla-assistant", "status", ...args], {
-                encoding: "utf8",
-                env: process.env,
-              });
-              return JSON.parse(output);
-            }
-
-            async function postStatus({ sha, state, description, targetUrl }) {
-              const statusContext = "CLA Gate";
-              core.info(
-                `Publishing ${statusContext}=${state} for ${sha}: ${description}`
-              );
-
-              await github.rest.repos.createCommitStatus({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                sha,
-                state,
-                description,
-                context: statusContext,
-                target_url: targetUrl,
-              });
-            }
-
-            let targetSha;
-            let claStatusArgs;
-
-            if (context.eventName === "merge_group") {
-              await postStatus({
-                sha: process.env.GITHUB_SHA,
-                state: "success",
-                description: "Merge group entry; CLA already checked before queue",
-              });
-              return;
-            }
-
-            if (context.eventName === "status") {
-              targetSha = context.payload.sha;
-              claStatusArgs = ["--sha", targetSha];
-            } else if (context.eventName === "pull_request_target") {
-              const pr = context.payload.pull_request;
-              targetSha = pr.head.sha;
-              claStatusArgs = ["--pr", String(pr.number)];
-            } else {
-              core.setFailed(`Unsupported event type: ${context.eventName}`);
-              return;
-            }
-
-            const status = claStatus(claStatusArgs);
-
-            if (!status.state) {
-              core.info(`No CLA Gate status to publish for ${targetSha}`);
-              return;
-            }
-
-            await postStatus({
-              sha: targetSha,
-              state: status.state,
-              description: status.description || undefined,
-              targetUrl: status.target_url || undefined,
-            });
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+
+          for attempt in $(seq 1 30); do
+            status_json="$(gh api "repos/${GITHUB_REPOSITORY}/commits/${PR_HEAD_SHA}/status")"
+            cla_status="$(jq -c '.statuses | map(select(.context == "license/cla")) | first // empty' <<<"${status_json}")"
+
+            if [ -z "${cla_status}" ]; then
+              echo "license/cla is not present on ${PR_HEAD_SHA} yet."
+            else
+              state="$(jq -r '.state' <<<"${cla_status}")"
+              description="$(jq -r '.description // ""' <<<"${cla_status}")"
+              target_url="$(jq -r '.target_url // ""' <<<"${cla_status}")"
+
+              echo "license/cla is ${state}: ${description}"
+              case "${state}" in
+                success)
+                  exit 0
+                  ;;
+                pending)
+                  ;;
+                failure|error)
+                  if [ -n "${target_url}" ]; then
+                    echo "::error title=license/cla ${state}::${description} (${target_url})"
+                  else
+                    echo "::error title=license/cla ${state}::${description}"
+                  fi
+                  exit 1
+                  ;;
+                *)
+                  echo "::error::Unexpected license/cla state: ${state}"
+                  exit 1
+                  ;;
+              esac
+            fi
+
+            if [ "${attempt}" -lt 30 ]; then
+              sleep 10
+            fi
+          done
+
+          echo "::error::Timed out waiting for license/cla to succeed on ${PR_HEAD_SHA}."
+          exit 1
diff --git a/tools/ci/README.md b/tools/ci/README.md
@@ -278,20 +278,6 @@ Usage: retry [OPTIONS] --pr-number <PR_NUMBER>
 - `--repo <REPO>`: Repository in `owner/name` form. Defaults to GITHUB_REPOSITORY
 - `--help`: Print help
 
-#### `status`
-
-**Usage:**
-```bash
-Usage: status [OPTIONS] <--pr <PR>|--sha <SHA>>
-```
-
-**Options:**
-
-- `--pr <PR>`: Pull request number whose head commit should be checked
-- `--sha <SHA>`: Commit SHA to check
-- `--repo <REPO>`: Repository in `owner/name` form. Defaults to GITHUB_REPOSITORY
-- `--help`: Print help
-
 #### `help`
 
 **Usage:**
diff --git a/tools/ci/src/cla_assistant.rs b/tools/ci/src/cla_assistant.rs
@@ -2,21 +2,18 @@ use std::collections::BTreeMap;
 use std::env;
 
 use anyhow::{anyhow, bail, Context, Result};
-use clap::{ArgGroup, Args, Subcommand};
+use clap::{Args, Subcommand};
 use reqwest::blocking::Client;
 use reqwest::header::{HeaderMap, HeaderValue, ACCEPT, AUTHORIZATION, USER_AGENT};
 use serde::de::DeserializeOwned;
-use serde::{Deserialize, Serialize};
+use serde::Deserialize;
 
 const CLA_CONTEXT: &str = "license/cla";
 
 #[derive(Subcommand)]
 pub(crate) enum ClaAssistantCmd {
     /// Retries CLA Assistant if `license/cla` is the only remaining PR blocker.
     Retry(RetryArgs),
-
-    /// Returns the `license/cla` status for a pull request or commit SHA.
-    Status(StatusArgs),
 }
 
 #[derive(Args)]
@@ -30,31 +27,9 @@ pub(crate) struct RetryArgs {
     pub(crate) repo: Option<String>,
 }
 
-#[derive(Args)]
-#[command(group(
-    ArgGroup::new("target")
-        .required(true)
-        .multiple(false)
-        .args(["pr", "sha"]),
-))]
-pub(crate) struct StatusArgs {
-    /// Pull request number whose head commit should be checked.
-    #[arg(long)]
-    pub(crate) pr: Option<u64>,
-
-    /// Commit SHA to check.
-    #[arg(long)]
-    pub(crate) sha: Option<String>,
-
-    /// Repository in `owner/name` form. Defaults to GITHUB_REPOSITORY.
-    #[arg(long)]
-    pub(crate) repo: Option<String>,
-}
-
 pub(crate) fn run(cmd: ClaAssistantCmd) -> Result<()> {
     match cmd {
         ClaAssistantCmd::Retry(args) => retry(args),
-        ClaAssistantCmd::Status(args) => status(args),
     }
 }
 
@@ -66,33 +41,6 @@ fn retry(args: RetryArgs) -> Result<()> {
     retry_for_pr(&client, &repo, args.pr_number)
 }
 
-fn status(args: StatusArgs) -> Result<()> {
-    let repo = Repo::from_arg_or_env(args.repo)?;
-    let token = env::var("GITHUB_TOKEN").context("GITHUB_TOKEN is required")?;
-    let client = GithubClient::new(token)?;
-
-    let sha = match (args.pr, args.sha) {
-        (Some(pr_number), None) => client.pull_request(&repo, pr_number)?.head.sha,
-        (None, Some(sha)) => sha,
-        _ => unreachable!("clap requires exactly one of --pr or --sha"),
-    };
-
-    let statuses = client.list_statuses(&repo, &sha)?;
-    let latest_statuses = latest_status_by_context(statuses);
-    let output = latest_statuses.get(CLA_CONTEXT).map_or_else(
-        || ClaStatusOutput::missing(sha.clone()),
-        |status| ClaStatusOutput {
-            sha: sha.clone(),
-            state: Some(status.state.clone()),
-            description: status.description.clone(),
-            target_url: status.target_url.clone(),
-        },
-    );
-
-    println!("{}", serde_json::to_string(&output)?);
-    Ok(())
-}
-
 fn retry_for_pr(client: &GithubClient, repo: &Repo, pr_number: u64) -> Result<()> {
     println!("Inspecting PR #{pr_number}");
 
@@ -217,29 +165,8 @@ struct CombinedStatusResponse {
     statuses: Vec<CommitStatus>,
 }
 
-#[derive(Clone, Deserialize)]
+#[derive(Deserialize)]
 struct CommitStatus {
     context: String,
     state: String,
-    description: Option<String>,
-    target_url: Option<String>,
-}
-
-#[derive(Serialize)]
-struct ClaStatusOutput {
-    sha: String,
-    state: Option<String>,
-    description: Option<String>,
-    target_url: Option<String>,
-}
-
-impl ClaStatusOutput {
-    fn missing(sha: String) -> Self {
-        Self {
-            sha,
-            state: None,
-            description: None,
-            target_url: None,
-        }
-    }
 }
