Skip to content

Commit 28fbff3

Browse files
committed
Replace CLA workflow with reusable workflow from CLA repo
Points at blacklanternsecurity/CLA instead of the .github repo to avoid the double .github path resolution issue. Fixes org members being falsely flagged on external contributor PRs.
1 parent 23b2563 commit 28fbff3

1 file changed

Lines changed: 3 additions & 85 deletions

File tree

.github/workflows/cla.yml

Lines changed: 3 additions & 85 deletions
Original file line numberDiff line numberDiff line change
@@ -10,88 +10,6 @@ permissions:
1010
statuses: write
1111

1212
jobs:
13-
CLAAssistant:
14-
runs-on: ubuntu-latest
15-
steps:
16-
- name: Generate token from GitHub App
17-
id: app-token
18-
uses: actions/create-github-app-token@v3
19-
with:
20-
app-id: ${{ secrets.APP_ID }}
21-
private-key: ${{ secrets.APP_PRIVATE_KEY }}
22-
owner: blacklanternsecurity
23-
24-
- name: Check all committers against org and allowlist
25-
id: cla-check
26-
env:
27-
GH_TOKEN: ${{ steps.app-token.outputs.token }}
28-
run: |
29-
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
30-
PR_NUM="${{ github.event.pull_request.number }}"
31-
else
32-
PR_NUM="${{ github.event.issue.number }}"
33-
fi
34-
35-
COMMITTERS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM/commits" --paginate --jq '.[].author.login' | sort -u)
36-
ALL_EXEMPT=true
37-
38-
for LOGIN in $COMMITTERS; do
39-
# treat commits with no associated GitHub login as non-exempt
40-
if [ -z "$LOGIN" ] || [ "$LOGIN" = "null" ]; then
41-
echo "Unknown committer (no GitHub login) — not exempt"
42-
ALL_EXEMPT=false
43-
break
44-
fi
45-
46-
EXEMPT=false
47-
48-
# check if account type is Bot (GitHub App accounts)
49-
AUTHOR_TYPE=$(gh api "users/${LOGIN}" --jq '.type' 2>/dev/null || echo "Unknown")
50-
if [ "$AUTHOR_TYPE" = "Bot" ]; then
51-
echo "$LOGIN is a Bot account — exempt"
52-
EXEMPT=true
53-
fi
54-
55-
# check org membership
56-
if [ "$EXEMPT" = "false" ]; then
57-
if gh api "orgs/blacklanternsecurity/members/$LOGIN" > /dev/null 2>&1; then
58-
echo "$LOGIN is an org member — exempt"
59-
EXEMPT=true
60-
fi
61-
fi
62-
63-
if [ "$EXEMPT" = "false" ]; then
64-
echo "$LOGIN is not exempt — CLA required"
65-
ALL_EXEMPT=false
66-
break
67-
fi
68-
done
69-
70-
echo "all_exempt=$ALL_EXEMPT" >> "$GITHUB_OUTPUT"
71-
72-
- name: Skip CLA when all committers are exempt
73-
if: steps.cla-check.outputs.all_exempt == 'true' && github.event_name == 'pull_request_target'
74-
env:
75-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
76-
run: |
77-
gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
78-
-f state=success \
79-
-f context="CLAAssistant" \
80-
-f description="CLA check skipped — all committers are org members or bots"
81-
82-
- name: "CLA Assistant"
83-
if: |
84-
(steps.cla-check.outputs.all_exempt != 'true') &&
85-
((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
86-
uses: contributor-assistant/github-action@v2.6.1
87-
env:
88-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
89-
PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
90-
with:
91-
path-to-signatures: "signatures/version1/cla.json"
92-
path-to-document: "https://github.com/blacklanternsecurity/CLA/blob/main/ICLA.md"
93-
branch: "main"
94-
allowlist: "dependabot[bot],github-actions[bot],renovate[bot]"
95-
remote-organization-name: "blacklanternsecurity"
96-
remote-repository-name: "CLA"
97-
lock-pullrequest-aftermerge: "false"
13+
cla:
14+
uses: blacklanternsecurity/CLA/.github/workflows/cla-reusable.yml@main
15+
secrets: inherit

0 commit comments

Comments
 (0)