From e4e27fa872a1b076f68e97f6270e0b4373472a08 Mon Sep 17 00:00:00 2001 From: tirumerla Date: Thu, 16 Jul 2026 12:25:31 -0700 Subject: [PATCH 1/2] chore: Add cla assistant workflow --- .github/workflows/cla.yml | 68 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 .github/workflows/cla.yml diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml new file mode 100644 index 00000000..31d5f7eb --- /dev/null +++ b/.github/workflows/cla.yml @@ -0,0 +1,68 @@ +--- +name: CLA Assistant +on: + issue_comment: + types: + - created + pull_request_target: + types: + - opened + - closed + - synchronize + - labeled +permissions: + actions: write + contents: write + pull-requests: write + statuses: write + checks: write + issues: write +jobs: + CLAAssistant: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout Private Repo for Allowlist + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: OpenZeppelin/cla-sigs + token: ${{ secrets.CLA_SIGS_ACCESS_PAT }} + sparse-checkout: | + allowlist.txt + sparse-checkout-cone-mode: false + - name: Read Allowlist File + id: read_allowlist + run: | + ALLOWLIST=$(cat allowlist.txt) + echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT + - name: Check if user is in allowlist + id: check_allowlist + run: | + PR_USER=${{ github.event.pull_request.user.login }} + if [[ "${{ steps.read_allowlist.outputs.allowlist }}" == *"$PR_USER"* ]]; then + echo "is_allowed=true" >> $GITHUB_OUTPUT + else + echo "is_allowed=false" >> $GITHUB_OUTPUT + fi + - name: CLA Assistant + continue-on-error: true + id: cla_assistant + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement') || github.event_name == 'pull_request_target' + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_SIGS_ACCESS_PAT }} + with: + path-to-signatures: signatures/${{ github.event.repository.name }}/v1_cla.json + path-to-document: https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md + branch: main + allowlist: ${{ steps.read_allowlist.outputs.allowlist }} + remote-organization-name: OpenZeppelin + remote-repository-name: cla-sigs + custom-notsigned-prcomment: > + Thank you for your contribution to the OpenZeppelin Docs. Before being able to integrate those changes, we would like you to sign our [Contributor License Agreement](https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md). + You can sign the CLA by just posting a Pull Request Comment with the sentence below. Thanks. + custom-pr-sign-comment: I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement From f43623598f1ea2dbbe2e839939f33a85fac37344 Mon Sep 17 00:00:00 2001 From: tirumerla Date: Thu, 16 Jul 2026 12:52:52 -0700 Subject: [PATCH 2/2] fix: Templatize repo name with case modification --- .github/workflows/cla.yml | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 31d5f7eb..d866c136 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -9,17 +9,14 @@ on: - opened - closed - synchronize - - labeled -permissions: - actions: write - contents: write - pull-requests: write - statuses: write - checks: write - issues: write jobs: CLAAssistant: runs-on: ubuntu-latest + permissions: + actions: write + contents: write + pull-requests: write + statuses: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 @@ -38,18 +35,12 @@ jobs: run: | ALLOWLIST=$(cat allowlist.txt) echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT - - name: Check if user is in allowlist - id: check_allowlist - run: | - PR_USER=${{ github.event.pull_request.user.login }} - if [[ "${{ steps.read_allowlist.outputs.allowlist }}" == *"$PR_USER"* ]]; then - echo "is_allowed=true" >> $GITHUB_OUTPUT - else - echo "is_allowed=false" >> $GITHUB_OUTPUT - fi + - name: Capitalize repository name + id: repo_name + env: + REPO_NAME: ${{ github.event.repository.name }} + run: echo "name=${REPO_NAME^}" >> "$GITHUB_OUTPUT" - name: CLA Assistant - continue-on-error: true - id: cla_assistant if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: @@ -63,6 +54,6 @@ jobs: remote-organization-name: OpenZeppelin remote-repository-name: cla-sigs custom-notsigned-prcomment: > - Thank you for your contribution to the OpenZeppelin Docs. Before being able to integrate those changes, we would like you to sign our [Contributor License Agreement](https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md). + Thank you for your contribution to OpenZeppelin ${{ steps.repo_name.outputs.name }}. Before being able to integrate those changes, we would like you to sign our [Contributor License Agreement](https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md). You can sign the CLA by just posting a Pull Request Comment with the sentence below. Thanks. custom-pr-sign-comment: I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement