-
Notifications
You must be signed in to change notification settings - Fork 169
79 lines (76 loc) · 3.79 KB
/
Copy pathcla.yml
File metadata and controls
79 lines (76 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# CLA Assistant — Contributor License Agreement enforcement
#
# Every pull request author must sign the project's Contributor License Agreement
# (see CLA.md at the repo root) before their PR can be merged. This workflow uses
# the community CLA Assistant action to:
# 1. Comment on a PR the first time an unsigned contributor opens one, asking
# them to sign by leaving a fixed comment on the PR.
# 2. Record each signature (GitHub username + signed commit SHA + timestamp) in
# `signatures/version1/cla.json` on the default branch. A contributor signs
# once and is never asked again on future PRs.
# 3. Set a `CLA Assistant` commit status — red until signed, green afterwards —
# so the requirement can be enforced as a required status check in branch
# protection.
#
# Triggers:
# - pull_request_target (opened / synchronize / closed): re-checks signatures
# for every PR and locks the signature record when a PR merges.
# - issue_comment (created): catches the "I hereby sign the CLA" / "recheck"
# comments. The job is gated so it only runs for those two comment bodies or
# for pull_request_target events — ordinary issue/PR chatter is ignored.
#
# Storage: signatures live on the dedicated, unprotected `cla-signatures` branch
# under signatures/version1/cla.json. They are NOT stored on master because the
# `master-protect` ruleset blocks the bot's direct signature commits. The signature
# commits are made by github-actions[bot]; the CI/CD workflow (ci.yml) ignores the
# signatures/ path so these commits do not trigger builds.
#
# Token: uses the built-in GITHUB_TOKEN (no extra secret needed) because the
# signature file is stored inside this repository.
#
# Author: Son Nguyen <hoangson091104@gmail.com>
name: 🖋️ CLA Assistant
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, closed, synchronize]
permissions:
actions: write
contents: write
pull-requests: write
statuses: write
jobs:
cla:
name: "🖋️ Verify CLA signature"
runs-on: ubuntu-latest
# Run on PR events, or only on the two relevant comment bodies — never on
# unrelated issue/PR comments.
if: |
(github.event.comment.body == 'recheck' ||
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
github.event_name == 'pull_request_target'
steps:
- name: "CLA Assistant"
uses: contributor-assistant/github-action@v2.6.1
env:
# Built-in token — sufficient because signatures are stored in this repo.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
# Where signatures are recorded (default branch of this repo).
path-to-signatures: "signatures/version1/cla.json"
# Public URL of the CLA contributors must agree to.
path-to-document: "https://github.com/hoangsonww/Claude-Code-Agent-Monitor/blob/master/CLA.md"
# Store signatures on a DEDICATED, UNPROTECTED branch. The default
# branch (master) is governed by the `master-protect` ruleset, which
# blocks direct pushes — including the bot's signature commits — so
# signatures must live on a branch the bot can write to freely.
branch: "cla-signatures"
# Bots never sign. Every human contributor (including maintainers) must.
allowlist: "dependabot[bot],renovate[bot],github-actions[bot]"
# Lock the signature record once a PR is merged.
lock-pullrequest-aftermerge: true
# Exact comment a contributor must post to sign.
custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
# Allow re-running the check by commenting "recheck".
custom-allsigned-prcomment: "✅ All contributors have signed the CLA. Thank you!"