Skip to content

ci: add CLA Assistant workflow#14582

Open
alexisrolland wants to merge 3 commits into
masterfrom
add-cla-workflow
Open

ci: add CLA Assistant workflow#14582
alexisrolland wants to merge 3 commits into
masterfrom
add-cla-workflow

Conversation

@alexisrolland

Copy link
Copy Markdown
Member

Adds the CLA Assistant GitHub Actions workflow at .github/workflows/cla.yml, copied from https://github.com/Comfy-Org/comfy-cla/blob/main/.github/workflows/cla.yml

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file .github/workflows/cla.yml is added. It runs contributor-assistant/github-action on pull_request_target, issue_comment, and merge_group events, with conditions for PR-related runs and exact comment matches. The workflow sets job permissions, passes GITHUB_TOKEN and PERSONAL_ACCESS_TOKEN, configures centralized CLA signature storage, exempts listed bot accounts, and defines custom PR comment templates for unsigned and signed states.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding a CLA Assistant workflow.
Description check ✅ Passed The description matches the changeset by stating that the CLA Assistant workflow was added to .github/workflows/cla.yml.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@alexisrolland alexisrolland marked this pull request as draft June 22, 2026 08:07
@alexisrolland alexisrolland marked this pull request as ready for review June 22, 2026 08:45

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cla.yml:
- Line 26: The `contributor-assistant/github-action` action in the cla.yml
workflow is pinned to version tag `v2.6.1` instead of a commit SHA, which is a
security risk since tags can be force-pushed. Additionally, this repository is
archived and no longer receives security updates. Replace the current uses
statement `contributor-assistant/github-action@v2.6.1` with the pinned commit
SHA
`contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08`
to mitigate the risk. Consider evaluating whether to migrate to an actively
maintained alternative like `cla-assistant/github-action`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9268a813-a1ec-42c7-94b9-b516dd3acbc3

📥 Commits

Reviewing files that changed from the base of the PR and between b0f9e32 and c06a3f0.

📒 Files selected for processing (1)
  • .github/workflows/cla.yml

Comment thread .github/workflows/cla.yml Outdated
Updated CLA workflow to modify permissions and action version.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/cla.yml (1)

23-26: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Gate comment-triggered CLA runs to pull requests. issue_comment also fires on issues, so the recheck and signing-phrase branches can be reached from an issue comment unless they’re wrapped in github.event.issue.pull_request.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cla.yml around lines 23 - 26, The CLA workflow trigger
condition currently allows issue_comment events to reach the recheck and
signing-phrase paths, which can run on issues instead of pull requests. Update
the if condition in the workflow logic to keep the existing pull_request_target
behavior, but wrap the comment-body checks for recheck and the CLA phrase with a
github.event.issue.pull_request guard so they only execute for pull requests.
Use the existing workflow condition block as the target location.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cla.yml:
- Line 44: The CLA allowlist is too broad because `*[bot]` exempts every GitHub
App bot from enforcement. Update the `allowlist` entry in the CLA workflow to
enumerate only the specific trusted automation accounts you intend to bypass the
check, and remove the wildcard bot pattern so untrusted bots still require CLA
coverage.

---

Outside diff comments:
In @.github/workflows/cla.yml:
- Around line 23-26: The CLA workflow trigger condition currently allows
issue_comment events to reach the recheck and signing-phrase paths, which can
run on issues instead of pull requests. Update the if condition in the workflow
logic to keep the existing pull_request_target behavior, but wrap the
comment-body checks for recheck and the CLA phrase with a
github.event.issue.pull_request guard so they only execute for pull requests.
Use the existing workflow condition block as the target location.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0063ebf1-e517-48f2-9106-a24f3b46041a

📥 Commits

Reviewing files that changed from the base of the PR and between c06a3f0 and 7c18d53.

📒 Files selected for processing (1)
  • .github/workflows/cla.yml

Comment thread .github/workflows/cla.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant