Skip to content

Skip CLA check for bot accounts #3011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
aconite33 wants to merge 3 commits into from
Closed

Skip CLA check for bot accounts #3011

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d509873
skip CLA check for bot accounts in CI workflow
aconite33 Apr 1, 2026
8c6a79f
check all PR committers against org membership and bot allowlist
liquidsec Apr 1, 2026
3e57912
use GitHub API type field for bot detection and harden null logins
aconite33 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 42 additions & 13 deletions .github/workflows/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,36 +23,65 @@ jobs:
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: blacklanternsecurity

- name: Check org membership
id: membership
- name: Check all committers against org and allowlist
id: cla-check
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
AUTHOR="${{ github.event.pull_request.user.login }}"
PR_NUM="${{ github.event.pull_request.number }}"
else
PR_NUM="${{ github.event.issue.number }}"
AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null)
fi
if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then
echo "is_member=true" >> "$GITHUB_OUTPUT"
else
echo "is_member=false" >> "$GITHUB_OUTPUT"
fi
COMMITTERS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM/commits" --paginate --jq '.[].author.login' | sort -u)
ALL_EXEMPT=true

for LOGIN in $COMMITTERS; do
# treat commits with no associated GitHub login as non-exempt
if [ -z "$LOGIN" ] || [ "$LOGIN" = "null" ]; then
echo "Unknown committer (no GitHub login) — not exempt"
ALL_EXEMPT=false
break
fi

EXEMPT=false

# check if account type is Bot (GitHub App accounts)
AUTHOR_TYPE=$(gh api "users/${LOGIN}" --jq '.type' 2>/dev/null || echo "Unknown")
if [ "$AUTHOR_TYPE" = "Bot" ]; then
echo "$LOGIN is a Bot account — exempt"
EXEMPT=true
fi

# check org membership
if [ "$EXEMPT" = "false" ]; then
if gh api "orgs/blacklanternsecurity/members/$LOGIN" > /dev/null 2>&1; then
echo "$LOGIN is an org member — exempt"
EXEMPT=true
fi
fi

if [ "$EXEMPT" = "false" ]; then
echo "$LOGIN is not exempt — CLA required"
ALL_EXEMPT=false
break
fi
done
echo "all_exempt=$ALL_EXEMPT" >> "$GITHUB_OUTPUT"

- name: Skip CLA for org members
if: steps.membership.outputs.is_member == 'true' && github.event_name == 'pull_request_target'
- name: Skip CLA when all committers are exempt
if: steps.cla-check.outputs.all_exempt == 'true' && github.event_name == 'pull_request_target'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
-f state=success \
-f context="CLAAssistant" \
-f description="CLA check skipped — author is an org member"
-f description="CLA check skipped — all committers are org members or bots"

- name: "CLA Assistant"
if: |
(steps.membership.outputs.is_member != 'true') &&
(steps.cla-check.outputs.all_exempt != 'true') &&
((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target')
uses: contributor-assistant/github-action@v2.6.1
env:
Expand Down
Loading