ci: add CLA Assistant workflow#14582
Conversation
📝 WalkthroughWalkthroughA new GitHub Actions workflow file 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cla.yml:
- Line 26: The `contributor-assistant/github-action` action in the cla.yml
workflow is pinned to version tag `v2.6.1` instead of a commit SHA, which is a
security risk since tags can be force-pushed. Additionally, this repository is
archived and no longer receives security updates. Replace the current uses
statement `contributor-assistant/github-action@v2.6.1` with the pinned commit
SHA
`contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08`
to mitigate the risk. Consider evaluating whether to migrate to an actively
maintained alternative like `cla-assistant/github-action`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 9268a813-a1ec-42c7-94b9-b516dd3acbc3
📒 Files selected for processing (1)
.github/workflows/cla.yml
Updated CLA workflow to modify permissions and action version.
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/cla.yml (1)
23-26: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winGate comment-triggered CLA runs to pull requests.
issue_commentalso fires on issues, so therecheckand signing-phrase branches can be reached from an issue comment unless they’re wrapped ingithub.event.issue.pull_request.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cla.yml around lines 23 - 26, The CLA workflow trigger condition currently allows issue_comment events to reach the recheck and signing-phrase paths, which can run on issues instead of pull requests. Update the if condition in the workflow logic to keep the existing pull_request_target behavior, but wrap the comment-body checks for recheck and the CLA phrase with a github.event.issue.pull_request guard so they only execute for pull requests. Use the existing workflow condition block as the target location.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cla.yml:
- Line 44: The CLA allowlist is too broad because `*[bot]` exempts every GitHub
App bot from enforcement. Update the `allowlist` entry in the CLA workflow to
enumerate only the specific trusted automation accounts you intend to bypass the
check, and remove the wildcard bot pattern so untrusted bots still require CLA
coverage.
---
Outside diff comments:
In @.github/workflows/cla.yml:
- Around line 23-26: The CLA workflow trigger condition currently allows
issue_comment events to reach the recheck and signing-phrase paths, which can
run on issues instead of pull requests. Update the if condition in the workflow
logic to keep the existing pull_request_target behavior, but wrap the
comment-body checks for recheck and the CLA phrase with a
github.event.issue.pull_request guard so they only execute for pull requests.
Use the existing workflow condition block as the target location.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 0063ebf1-e517-48f2-9106-a24f3b46041a
📒 Files selected for processing (1)
.github/workflows/cla.yml
Adds the CLA Assistant GitHub Actions workflow at
.github/workflows/cla.yml, copied from https://github.com/Comfy-Org/comfy-cla/blob/main/.github/workflows/cla.yml