Adding CLA Assistant action workflow #48249
Conversation
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
doggydogworld
added
the
no-changelog
doggydogworld
requested review from
klizhentas,
russjones,
r0mant,
zmb3,
fheinecke,
camscale,
tcsc,
rosstimothy and
codingllama
as code owners
.github/workflows/cla-assistant.yaml
Outdated
| # If the user is a member of the org expect a 204 HTTP Status Code | ||
| # If the above is success the process will exit 0 | ||
| run: | | ||
| gh api "orgs/gravitational/members/${USER}" |
There was a problem hiding this comment.
| gh api "orgs/gravitational/members/${USER}" | |
| gh api "orgs/gravitational/members/${USER}" > /dev/null |
This doesn't contain much sensitive information currently, but would probably be a good idea to either capture the output or trash it in case something changes in the future
.github/workflows/cla-assistant.yaml
Outdated
| issue_comment: | ||
| types: [created] |
There was a problem hiding this comment.
Will this trigger on issues too? We'd probably want to avoid that and only trigger on PRs.
There was a problem hiding this comment.
Unfortunately from GitHub's perspective PR comments ARE issue comments. Hmm I could make it do a noop for "true" issue comments so it exits fast. Since this is a public repo I believe this should be no cost.
.github/workflows/cla-assistant.yaml
Outdated
| issue_comment: | ||
| types: [created] | ||
| pull_request_target: | ||
| types: [opened, closed, synchronize] |
There was a problem hiding this comment.
Why do we need closed event? Also, when does synchronize trigger?
| run: | | ||
| gh api "orgs/gravitational/members/${USER}" | ||
| - name: "CLA Assistant" | ||
| if: steps.get-membership.outcome != 'success' && ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target') |
There was a problem hiding this comment.
I'm not sure I fully understand this condition. Looks like it checks if the comment says either "recheck" or "I have read ..." and adds them to the signers repo? Does it check that the comment was left by the PR author?
There was a problem hiding this comment.
You're right it is a bit vague. I'll add some comments to describe the expected behavior.
Essentially though the behavior for anyone outside gravitational org is:
- CLA Assistant gathers authors from commits made to the PR
- If any author has not signed CLA it fails.
In the case of a failure the DX is:
- Reply with "I have read..."
- The action will add the username to the cla-signatures list and "recheck" automatically
- "recheck" (can be commented to manually rerun in the case of a transient error)
- Gathers authors from all commits in PR and checks cla-signatures
public-teleport-github-review-bot
bot
removed request for
timothyb89 and
greedy52
|
@doggydogworld Let's run both this one and old cla-assistant check in parallel for a few days and test external contributions before making this one required and removing the old one. |
Overview
We currently use the 3rd party service CLA Assistant to automate the handling of CLA signatures. Using a 3rd party service comes with downsides. In the case of a service interruption our PRs are blocked until the stability of the service is reestablished.
There is a Contributor Assistant Action that has similar functionality and will run as an action. This should alleviate any concerns of service interruption (unless GitHub goes down) and also allows us to add features as needed.
Implementation
Added a new workflow that kicks off for PR events. This will detect if any changes were introduced by someone who hasn't signed the CLA and will post a comment with instructions.
Signatures are stored in the
cla-signaturesrepository and are updated by the workflow.Security Considerations
This introduces two new secrets into the OSS repo:
These combined can be used to perform authenticated REST API calls.
The GitHub App associated with the above is only installed on the
cla-signaturesrepo and has the following access: