Closed
Conversation
Add a bot detection step that checks if the PR author's login ends with [bot] (e.g. dependabot[bot], github-actions[bot], renovate[bot]). When detected, the CLA check is skipped with a success status, and the CLA assistant action is not invoked at all. This fixes CLA failures on automated dependency PRs where the allowlist in the CLA assistant action was not matching correctly.
aconite33
force-pushed
the
fix-cla-bot-skip
branch
from
a63615b to
d509873
Compare
Instead of only checking the PR author, iterate over every unique commit author and verify each is either an org member or a known bot. Fixes CLA failures on PRs with mixed committers (e.g. dependabot PRs that include org member commits due to branch divergence).
Replace string-based bot allowlist with API lookup of the account's type field (returns "Bot" for GitHub App accounts, enforced server-side and not spoofable). Also treat commits with no associated GitHub login as non-exempt instead of silently skipping them. Tested on aconite33/cla-workflow-test: - PR #1 (human): correctly required CLA - PR #3 (github-actions[bot]): correctly skipped via API type check
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## stable #3011 +/- ##
======================================
- Coverage 92% 92% -0%
======================================
Files 416 416
Lines 34690 34690
======================================
- Hits 31667 31643 -24
- Misses 3023 3047 +24 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes CLA check failures on bot PRs (e.g. #3009).
Adds a bot detection step that checks if the PR author's login ends with
[bot]. When detected, sets a success status and skips the CLA assistant action entirely. The existing allowlist in the CLA assistant was not matching correctly for bot committers.Test plan