-
Notifications
You must be signed in to change notification settings - Fork 0
72 lines (69 loc) · 3.49 KB
/
Copy pathcla.yml
File metadata and controls
72 lines (69 loc) · 3.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: CLA Assistant
# Gates merges on a signed Contributor License Agreement.
#
# Uses CLA Assistant Lite (contributor-assistant/github-action): signatures are
# stored as a JSON file committed to a branch of THIS repo (no third-party
# service holds the data). Contributors sign by commenting the configured phrase
# on their PR; the action records it and flips the check green.
#
# AUTH: mints a token from the shared automation GitHub App (the same App
# release-please uses), so signature commits show as the bot and there's no
# personal token to expire.
#
# SETUP REQUIRED before this enforces anything:
# 1. Create/install the automation GitHub App (Contents R/W, Pull requests R/W,
# Issues R/W) and add BOT_APP_ID + BOT_APP_PRIVATE_KEY repo secrets — the
# same secrets release-please uses.
# 2. Create the `cla-signatures` branch (empty orphan) so the action has
# somewhere to write `signatures/version1/cla.json`.
# 3. Finalise CLA.md (legal review) — it's the document contributors agree to.
#
# Until the App secrets exist the CLA step self-skips, so the check is green
# (not failing) on every PR and auto-activates once they're set.
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, closed, synchronize]
permissions:
actions: write
contents: write
pull-requests: write
statuses: write
jobs:
cla:
runs-on: ubuntu-latest
# Empty until the automation App secrets are configured (see SETUP above).
# While empty, the steps below self-skip so this check passes (green) instead
# of failing on every PR with "Branch cla-signatures not found".
env:
HAS_APP: ${{ secrets.BOT_APP_ID != '' }}
# Only act on the signature comment or on PR events (not every comment).
if: (github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'
steps:
- uses: actions/create-github-app-token@v3
id: app-token
if: env.HAS_APP == 'true'
with:
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- uses: contributor-assistant/github-action@v2.6.1
if: env.HAS_APP == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
with:
path-to-signatures: "signatures/version1/cla.json"
path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md"
branch: "cla-signatures"
# Do NOT lock the PR on merge (the action's default is true). release-please
# comments on its release PR *after* merge; a locked conversation makes that
# comment fail and takes down the whole Release job (npm publish + binaries
# never run). Keeping this false is load-bearing for the release pipeline.
lock-pullrequest-aftermerge: false
# Internal maintainers (covered by employment/CCLA) + bots skip the prompt.
allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot]
# Customise the bot's prompts if desired:
custom-notsigned-prcomment: "Thanks for your contribution! Please sign our Contributor License Agreement before we can merge. Comment the line below to sign:"
custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
custom-allsigned-prcomment: "All contributors have signed the CLA. ✍️ ✅"