Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion .github/workflows/reusable-cla.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,33 @@ jobs:
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA' ||
github.event_name == 'pull_request_target'
steps:
# Without the PAT the CLA action cannot even read signatures and fails
# for everyone. Degrade gracefully: allowlisted authors (owner + bots,
# who never need to sign) pass with a warning; everyone else still
# fails closed so no unsigned external contribution can merge.
- name: Check CLA storage configuration
id: cfg
env:
PAT: ${{ secrets.cla-assistant-pat }}
AUTHOR: ${{ github.event.pull_request.user.login || github.event.comment.user.login || github.actor }}
run: |
if [ -n "$PAT" ]; then
echo "mode=enforce" >> "$GITHUB_OUTPUT"
exit 0
fi
case "$AUTHOR" in
enricopiovesan|*"[bot]")
echo "::warning::CLA_ASSISTANT_PAT is not configured (see docs/owner-setup.md); author '$AUTHOR' is allowlisted so this check passes. External contributors fail closed until the secret is set."
echo "mode=allowlisted-pass" >> "$GITHUB_OUTPUT"
;;
*)
echo "::error::CLA gate cannot record signatures: the CLA_ASSISTANT_PAT secret is not configured (see docs/owner-setup.md in traverse-framework/.github). Failing closed for author '$AUTHOR'."
exit 1
;;
esac

- name: CLA assistant
if: steps.cfg.outputs.mode == 'enforce'
uses: contributor-assistant/github-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -40,5 +66,7 @@ jobs:
branch: cla-signatures
path-to-signatures: signatures/version1/cla.json
path-to-document: https://github.com/traverse-framework/.github/blob/HEAD/CLA.md
allowlist: enricopiovesan,*[bot]
# claude / cursoragent / "Enrico Piovesan" are the owner's coding
# agents and the owner's unlinked machine-local git identity.
allowlist: enricopiovesan,claude,cursoragent,Enrico Piovesan,*[bot]
lock-pullrequest-aftermerge: false
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ All notable changes to the org-wide governance in this repository are documented

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and versions follow [Semantic Versioning](https://semver.org/): a **major** bump means a rule change that can newly block merges in consuming repos; **minor** adds rules or tooling that are backwards-compatible; **patch** is clarification only.

## [1.0.2] - 2026-07-07

### Fixed

- CLA gate degrades gracefully while `CLA_ASSISTANT_PAT` is unset: allowlisted authors (owner and `*[bot]`) pass with a warning instead of everyone failing at action startup; non-allowlisted authors still fail closed. With `cla / cla` now a required check org-wide, the previous behavior blocked every PR including the owner's and Dependabot's.
- CLA allowlist covers the owner's coding-agent identities (`claude`, `cursoragent`, and the owner's unlinked local git identity) so agent-authored PRs aren't asked to sign the owner's own CLA.

## [1.0.1] - 2026-07-06

### Fixed
Expand Down
Loading