From c79f263f753d82c36ab903f53c19f2ad4f4510cf Mon Sep 17 00:00:00 2001 From: finalerock44 <77282157+finalerock44@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:00:55 +0100 Subject: [PATCH 1/2] ci: power CLA via the shared automation GitHub App MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mint the CLA token from the same GitHub App release-please uses, instead of a personal PAT (no expiry, signature commits show as the bot). Rename the App secrets RELEASE_PLEASE_APP_* -> BOT_APP_* since one App now serves both workflows. CLA self-skips until BOT_APP_ID is set. Carries only the app-token delta — the dependabot/fork CI fixes and actions grouping already landed on dev via #46. --- .github/workflows/cla.yml | 39 ++++++++++++++++++---------- .github/workflows/release-please.yml | 21 ++++++++------- 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 215c76b..b8334e6 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -7,14 +7,20 @@ name: CLA Assistant # service holds the data). Contributors sign by commenting the configured phrase # on their PR; the action records it and flips the check green. # -# SETUP REQUIRED before this can work: -# 1. Create a token with repo write access and add it as the `PERSONAL_ACCESS_TOKEN` -# secret (a fine-grained PAT or the release GitHub App token both work). The -# default GITHUB_TOKEN is also passed, but a PAT is needed to commit the -# signature file back to the repo. -# 2. Create the `cla-signatures` branch (e.g. an empty orphan branch) so the -# action has somewhere to write `signatures/version1/cla.json`. +# AUTH: mints a token from the shared automation GitHub App (the same App +# release-please uses), so signature commits show as the bot and there's no +# personal token to expire. +# +# SETUP REQUIRED before this enforces anything: +# 1. Create/install the automation GitHub App (Contents R/W, Pull requests R/W, +# Issues R/W) and add BOT_APP_ID + BOT_APP_PRIVATE_KEY repo secrets — the +# same secrets release-please uses. +# 2. Create the `cla-signatures` branch (empty orphan) so the action has +# somewhere to write `signatures/version1/cla.json`. # 3. Finalise CLA.md (legal review) — it's the document contributors agree to. +# +# Until the App secrets exist the CLA step self-skips, so the check is green +# (not failing) on every PR and auto-activates once they're set. on: issue_comment: types: [created] @@ -30,20 +36,25 @@ permissions: jobs: cla: runs-on: ubuntu-latest - # Empty until the PERSONAL_ACCESS_TOKEN secret is configured (see SETUP above). - # While empty, the action step below is skipped so this check passes (green) - # instead of failing on every PR with "Branch cla-signatures not found". It - # auto-activates once the secret + cla-signatures branch exist. + # Empty until the automation App secrets are configured (see SETUP above). + # While empty, the steps below self-skip so this check passes (green) instead + # of failing on every PR with "Branch cla-signatures not found". env: - HAS_CLA_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN != '' }} + HAS_APP: ${{ secrets.BOT_APP_ID != '' }} # Only act on the signature comment or on PR events (not every comment). if: (github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target' steps: + - uses: actions/create-github-app-token@v2 + id: app-token + if: env.HAS_APP == 'true' + with: + app-id: ${{ secrets.BOT_APP_ID }} + private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} - uses: contributor-assistant/github-action@v2.6.1 - if: env.HAS_CLA_TOKEN == 'true' + if: env.HAS_APP == 'true' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} with: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md" diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index f28914a..0745137 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -22,13 +22,14 @@ jobs: release-please-prod: if: github.ref_name == 'production' runs-on: ubuntu-latest - # Empty until the release GitHub App secrets are configured. We use an App - # token (not GITHUB_TOKEN) so the Release PR triggers CI / PR-title / CLA + # Empty until the automation GitHub App secrets are configured (the same App + # powers the CLA workflow). We use an App token (not GITHUB_TOKEN) so the + # Release PR triggers CI / PR-title / CLA # checks — PRs opened by GITHUB_TOKEN do not, which would deadlock branch # protection. Falls back to GITHUB_TOKEN (today's behaviour) until the App # is set up, so this is safe to merge before then. env: - RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }} + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} outputs: release_created: ${{ steps.release.outputs.release_created }} tag_name: ${{ steps.release.outputs.tag_name }} @@ -36,10 +37,10 @@ jobs: steps: - uses: actions/create-github-app-token@v2 id: app-token - if: env.RELEASE_PLEASE_APP_ID != '' + if: env.BOT_APP_ID != '' with: - app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }} + app-id: ${{ secrets.BOT_APP_ID }} + private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} - uses: googleapis/release-please-action@v4 id: release with: @@ -54,7 +55,7 @@ jobs: # See release-please-prod above for why this uses an App token with a # GITHUB_TOKEN fallback. env: - RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }} + BOT_APP_ID: ${{ secrets.BOT_APP_ID }} outputs: release_created: ${{ steps.release.outputs.release_created }} tag_name: ${{ steps.release.outputs.tag_name }} @@ -62,10 +63,10 @@ jobs: steps: - uses: actions/create-github-app-token@v2 id: app-token - if: env.RELEASE_PLEASE_APP_ID != '' + if: env.BOT_APP_ID != '' with: - app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }} + app-id: ${{ secrets.BOT_APP_ID }} + private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} - uses: googleapis/release-please-action@v4 id: release with: From d50fa2a3345cdbbf9ccbd37772b5ffea27ba0920 Mon Sep 17 00:00:00 2001 From: finalerock44 <77282157+finalerock44@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:11:29 +0100 Subject: [PATCH 2/2] ci: allowlist internal maintainers (riglar, finalerock44) in CLA --- .github/workflows/cla.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index b8334e6..395a4f1 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -59,8 +59,8 @@ jobs: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md" branch: "cla-signatures" - # PR target branches the CLA applies to. - allowlist: dependabot[bot],renovate[bot],*[bot] + # Internal maintainers (covered by employment/CCLA) + bots skip the prompt. + allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot] # Customise the bot's prompts if desired: custom-notsigned-prcomment: "Thanks for your contribution! Please sign our Contributor License Agreement before we can merge. Comment the line below to sign:" custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"