Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 27 additions & 16 deletions .github/workflows/cla.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,20 @@ name: CLA Assistant
# service holds the data). Contributors sign by commenting the configured phrase
# on their PR; the action records it and flips the check green.
#
# SETUP REQUIRED before this can work:
# 1. Create a token with repo write access and add it as the `PERSONAL_ACCESS_TOKEN`
# secret (a fine-grained PAT or the release GitHub App token both work). The
# default GITHUB_TOKEN is also passed, but a PAT is needed to commit the
# signature file back to the repo.
# 2. Create the `cla-signatures` branch (e.g. an empty orphan branch) so the
# action has somewhere to write `signatures/version1/cla.json`.
# AUTH: mints a token from the shared automation GitHub App (the same App
# release-please uses), so signature commits show as the bot and there's no
# personal token to expire.
#
# SETUP REQUIRED before this enforces anything:
# 1. Create/install the automation GitHub App (Contents R/W, Pull requests R/W,
# Issues R/W) and add BOT_APP_ID + BOT_APP_PRIVATE_KEY repo secrets — the
# same secrets release-please uses.
# 2. Create the `cla-signatures` branch (empty orphan) so the action has
# somewhere to write `signatures/version1/cla.json`.
# 3. Finalise CLA.md (legal review) — it's the document contributors agree to.
#
# Until the App secrets exist the CLA step self-skips, so the check is green
# (not failing) on every PR and auto-activates once they're set.
on:
issue_comment:
types: [created]
Expand All @@ -30,26 +36,31 @@ permissions:
jobs:
cla:
runs-on: ubuntu-latest
# Empty until the PERSONAL_ACCESS_TOKEN secret is configured (see SETUP above).
# While empty, the action step below is skipped so this check passes (green)
# instead of failing on every PR with "Branch cla-signatures not found". It
# auto-activates once the secret + cla-signatures branch exist.
# Empty until the automation App secrets are configured (see SETUP above).
# While empty, the steps below self-skip so this check passes (green) instead
# of failing on every PR with "Branch cla-signatures not found".
env:
HAS_CLA_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN != '' }}
HAS_APP: ${{ secrets.BOT_APP_ID != '' }}
# Only act on the signature comment or on PR events (not every comment).
if: (github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'
steps:
- uses: actions/create-github-app-token@v2
id: app-token
if: env.HAS_APP == 'true'
with:
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- uses: contributor-assistant/github-action@v2.6.1
if: env.HAS_CLA_TOKEN == 'true'
if: env.HAS_APP == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
with:
path-to-signatures: "signatures/version1/cla.json"
path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md"
branch: "cla-signatures"
# PR target branches the CLA applies to.
allowlist: dependabot[bot],renovate[bot],*[bot]
# Internal maintainers (covered by employment/CCLA) + bots skip the prompt.
allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot]
# Customise the bot's prompts if desired:
custom-notsigned-prcomment: "Thanks for your contribution! Please sign our Contributor License Agreement before we can merge. Comment the line below to sign:"
custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
Expand Down
21 changes: 11 additions & 10 deletions .github/workflows/release-please.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,24 +22,25 @@ jobs:
release-please-prod:
if: github.ref_name == 'production'
runs-on: ubuntu-latest
# Empty until the release GitHub App secrets are configured. We use an App
# token (not GITHUB_TOKEN) so the Release PR triggers CI / PR-title / CLA
# Empty until the automation GitHub App secrets are configured (the same App
# powers the CLA workflow). We use an App token (not GITHUB_TOKEN) so the
# Release PR triggers CI / PR-title / CLA
# checks — PRs opened by GITHUB_TOKEN do not, which would deadlock branch
# protection. Falls back to GITHUB_TOKEN (today's behaviour) until the App
# is set up, so this is safe to merge before then.
env:
RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }}
BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
version: ${{ steps.release.outputs.version }}
steps:
- uses: actions/create-github-app-token@v2
id: app-token
if: env.RELEASE_PLEASE_APP_ID != ''
if: env.BOT_APP_ID != ''
with:
app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- uses: googleapis/release-please-action@v4
id: release
with:
Expand All @@ -54,18 +55,18 @@ jobs:
# See release-please-prod above for why this uses an App token with a
# GITHUB_TOKEN fallback.
env:
RELEASE_PLEASE_APP_ID: ${{ secrets.RELEASE_PLEASE_APP_ID }}
BOT_APP_ID: ${{ secrets.BOT_APP_ID }}
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
version: ${{ steps.release.outputs.version }}
steps:
- uses: actions/create-github-app-token@v2
id: app-token
if: env.RELEASE_PLEASE_APP_ID != ''
if: env.BOT_APP_ID != ''
with:
app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- uses: googleapis/release-please-action@v4
id: release
with:
Expand Down
Loading