Skip to content

Fix CLA workflow to skip bots and check all committers#3013

Merged
aconite33 merged 2 commits intodevfrom
fix-cla-bot-skip
Apr 1, 2026
Merged

Fix CLA workflow to skip bots and check all committers#3013
aconite33 merged 2 commits intodevfrom
fix-cla-bot-skip

Conversation

@aconite33
Copy link
Copy Markdown
Contributor

@aconite33 aconite33 commented Apr 1, 2026
edited
Loading

Summary

Fixes CLA check failures on bot PRs (e.g. #3009).

Replaces the old single-author org membership check with a unified step that iterates all committers on the PR and checks each against:

  1. GitHub API account type -- gh api users/$LOGIN --jq .type returns "Bot" for GitHub App accounts (enforced server-side, not spoofable)
  2. Org membership -- existing check preserved

Also hardens against null logins: commits with no associated GitHub account are treated as non-exempt (prevents bypass via spoofed email).

Scenario PR Result
Human committer (not org member) #1 CLA required
Bot committer (github-actions[bot]) #3 Skipped via API type check

Path to production

  1. Merge this into dev
  2. Manual PR from dev into stable

aconite33 added 2 commits April 1, 2026 13:39
@aconite33
fix CLA workflow to properly skip bots and check all committers
648ce4e 
Replace the single PR-author org membership check with a unified step
that iterates all committers on the PR and checks each against:
1. GitHub API account type (type == "Bot" for App accounts)
2. Org membership

Commits with no associated GitHub login are treated as non-exempt
(prevents bypass via spoofed email with no GitHub account).

Tested on aconite33/cla-workflow-test:
- Human committer: correctly required CLA
- github-actions[bot]: correctly skipped via API type check
@aconite33
drop unnecessary actions:write and contents:write permissions
83833e7 
Tested on aconite33/cla-workflow-test with only pull-requests:write
and statuses:write -- both human CLA and bot skip paths work correctly.
The CLA assistant uses PERSONAL_ACCESS_TOKEN (app token) for writing
signatures to the remote CLA repo, not GITHUB_TOKEN.
@aconite33 aconite33 merged commit de4f04b into dev Apr 1, 2026
16 of 17 checks passed
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92%. Comparing base (ddd5d16) to head (83833e7).
⚠️ Report is 16 commits behind head on dev.

Additional details and impacted files 
@@          Coverage Diff          @@
##             dev   #3013   +/-   ##
=====================================
+ Coverage     92%     92%   +1%     
=====================================
  Files        416     416           
  Lines      34690   34690           
=====================================
+ Hits       31643   31662   +19     
+ Misses      3047    3028   -19

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liquidsec liquidsec liquidsec approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aconite33 @liquidsec