From e97b880a9b16c45c3c874e2cea3d0228b0d9625d Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 14:17:00 -0600 Subject: [PATCH 01/10] ci: add CLA workflow --- .github/workflows/cla.yml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/cla.yml diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml new file mode 100644 index 0000000000..05a05942f7 --- /dev/null +++ b/.github/workflows/cla.yml @@ -0,0 +1,39 @@ +name: "CLA Assistant" +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened, closed, synchronize] + +permissions: + actions: write + contents: write + pull-requests: write + statuses: write + +jobs: + CLAAssistant: + runs-on: ubuntu-latest + steps: + - name: Generate token from GitHub App + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: blacklanternsecurity + repositories: CLA + + - name: "CLA Assistant" + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + uses: contributor-assistant/github-action@v2.6.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + with: + path-to-signatures: "signatures/version1/cla.json" + path-to-document: "https://github.com/blacklanternsecurity/CLA/blob/main/ICLA.md" + branch: "main" + allowlist: "dependabot[bot],github-actions[bot],renovate[bot]" + remote-organization-name: "blacklanternsecurity" + remote-repository-name: "CLA" From dcdd46def6b6f945299b3a8b336127256e0fe87e Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 16:39:04 -0600 Subject: [PATCH 02/10] ci: add org members to CLA allowlist --- .github/workflows/cla.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 05a05942f7..825a076ec4 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -34,6 +34,6 @@ jobs: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/blacklanternsecurity/CLA/blob/main/ICLA.md" branch: "main" - allowlist: "dependabot[bot],github-actions[bot],renovate[bot]" + allowlist: "dependabot[bot],github-actions[bot],renovate[bot],aconite33,adeemm,ausmaster,bbot-deploy,blsaccess,blscode,en0f,GabKodes,holsick,jackpas23,kerrymilan,kevinoriley,liquidsec,lunarcowboy,MarcusAmes,Mercury0,MrBlackout20,Nasaltron,oversiemulated,pentestpop,pjhartlieb,RReski,shart123456,SpamFaux,stryker2k2,Sw3d1shPh1sh,TheFunky1Markimark,theo2612,TheTechromancer,TMDeal" remote-organization-name: "blacklanternsecurity" remote-repository-name: "CLA" From 6d84a4a4a9b8a34a05568fd54e9f770ce9e85fc7 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 16:46:14 -0600 Subject: [PATCH 03/10] ci: use dynamic org membership check for CLA --- .github/workflows/cla.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 825a076ec4..462636af87 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -24,8 +24,23 @@ jobs: owner: blacklanternsecurity repositories: CLA + - name: Check org membership + id: membership + if: github.event_name == 'pull_request_target' + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + AUTHOR="${{ github.event.pull_request.user.login }}" + if gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then + echo "is_member=true" >> "$GITHUB_OUTPUT" + else + echo "is_member=false" >> "$GITHUB_OUTPUT" + fi + - name: "CLA Assistant" - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + if: | + (steps.membership.outputs.is_member != 'true') && + ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target') uses: contributor-assistant/github-action@v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -34,6 +49,6 @@ jobs: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/blacklanternsecurity/CLA/blob/main/ICLA.md" branch: "main" - allowlist: "dependabot[bot],github-actions[bot],renovate[bot],aconite33,adeemm,ausmaster,bbot-deploy,blsaccess,blscode,en0f,GabKodes,holsick,jackpas23,kerrymilan,kevinoriley,liquidsec,lunarcowboy,MarcusAmes,Mercury0,MrBlackout20,Nasaltron,oversiemulated,pentestpop,pjhartlieb,RReski,shart123456,SpamFaux,stryker2k2,Sw3d1shPh1sh,TheFunky1Markimark,theo2612,TheTechromancer,TMDeal" + allowlist: "dependabot[bot],github-actions[bot],renovate[bot]" remote-organization-name: "blacklanternsecurity" remote-repository-name: "CLA" From 646b6eb7d3ab1a20a38131af40151b206c833fb0 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 20:53:59 -0600 Subject: [PATCH 04/10] fix: use GITHUB_TOKEN for org membership check in CLA workflow --- .github/workflows/cla.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 462636af87..82b7fd871d 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -28,7 +28,7 @@ jobs: id: membership if: github.event_name == 'pull_request_target' env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | AUTHOR="${{ github.event.pull_request.user.login }}" if gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then From ee514b68683276195270934af05799a0c8fcb840 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 20:55:17 -0600 Subject: [PATCH 05/10] fix: handle org membership check for both PR and comment events --- .github/workflows/cla.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 82b7fd871d..a18aa92a2c 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -26,12 +26,17 @@ jobs: - name: Check org membership id: membership - if: github.event_name == 'pull_request_target' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - AUTHOR="${{ github.event.pull_request.user.login }}" - if gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then + if [ "${{ github.event_name }}" = "pull_request_target" ]; then + AUTHOR="${{ github.event.pull_request.user.login }}" + else + # For issue_comment events, look up the PR author + PR_NUM="${{ github.event.issue.number }}" + AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null) + fi + if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then echo "is_member=true" >> "$GITHUB_OUTPUT" else echo "is_member=false" >> "$GITHUB_OUTPUT" From 10997072d654dcc0cade7f49f4071d8e8b0bf55e Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 20:58:36 -0600 Subject: [PATCH 06/10] fix: set commit status to success when skipping CLA for org members --- .github/workflows/cla.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index a18aa92a2c..c646fb6c2c 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -42,6 +42,16 @@ jobs: echo "is_member=false" >> "$GITHUB_OUTPUT" fi + - name: Skip CLA for org members + if: steps.membership.outputs.is_member == 'true' && github.event_name == 'pull_request_target' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \ + -f state=success \ + -f context="CLAAssistant" \ + -f description="CLA check skipped — author is an org member" + - name: "CLA Assistant" if: | (steps.membership.outputs.is_member != 'true') && From 5318a7a0f3151c703e94bef35f0765b1f1635455 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 21:08:23 -0600 Subject: [PATCH 07/10] fix: use author_association for CLA membership check --- .github/workflows/cla.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index c646fb6c2c..ddb32fac13 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -26,17 +26,13 @@ jobs: - name: Check org membership id: membership - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | if [ "${{ github.event_name }}" = "pull_request_target" ]; then - AUTHOR="${{ github.event.pull_request.user.login }}" + ASSOC="${{ github.event.pull_request.author_association }}" else - # For issue_comment events, look up the PR author - PR_NUM="${{ github.event.issue.number }}" - AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null) + ASSOC="${{ github.event.issue.author_association }}" fi - if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then + if [ "$ASSOC" = "MEMBER" ] || [ "$ASSOC" = "OWNER" ] || [ "$ASSOC" = "COLLABORATOR" ]; then echo "is_member=true" >> "$GITHUB_OUTPUT" else echo "is_member=false" >> "$GITHUB_OUTPUT" From 5ee7b34c0811bc04ed33a4029079ca5dab6921fe Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 21:13:03 -0600 Subject: [PATCH 08/10] fix: use org-scoped app token for membership check --- .github/workflows/cla.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index ddb32fac13..8300a05507 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -22,17 +22,19 @@ jobs: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} owner: blacklanternsecurity - repositories: CLA - name: Check org membership id: membership + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: | if [ "${{ github.event_name }}" = "pull_request_target" ]; then - ASSOC="${{ github.event.pull_request.author_association }}" + AUTHOR="${{ github.event.pull_request.user.login }}" else - ASSOC="${{ github.event.issue.author_association }}" + PR_NUM="${{ github.event.issue.number }}" + AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null) fi - if [ "$ASSOC" = "MEMBER" ] || [ "$ASSOC" = "OWNER" ] || [ "$ASSOC" = "COLLABORATOR" ]; then + if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then echo "is_member=true" >> "$GITHUB_OUTPUT" else echo "is_member=false" >> "$GITHUB_OUTPUT" From 076b175e76e0b729cd6cc6e4ce9b9ed283bda147 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Mon, 30 Mar 2026 21:14:54 -0600 Subject: [PATCH 09/10] fix: use org-scoped app token for reliable CLA membership check From 593fe0400df3fca9473992f35be507dc38867ee5 Mon Sep 17 00:00:00 2001 From: aconite33 Date: Tue, 31 Mar 2026 08:29:27 -0600 Subject: [PATCH 10/10] fix: disable lock-pullrequest-aftermerge in CLA workflow --- .github/workflows/cla.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 8300a05507..bb9c379173 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -65,3 +65,4 @@ jobs: allowlist: "dependabot[bot],github-actions[bot],renovate[bot]" remote-organization-name: "blacklanternsecurity" remote-repository-name: "CLA" + lock-pullrequest-aftermerge: "false"