This repository hosts the Contributor License Agreements (CLAs) for all
open-source projects in the verivus-oss
organization.
CLA.mdis the Individual CLA (ICLA) that individual contributors accept.CCLA.mdis the Corporate CLA (CCLA) for organizations whose employees contribute on the organization's behalf.- Individual signatures are recorded automatically in the private
verivus-oss/cla-signaturesrepository (not public), keyed by GitHub username.
Most contributors only need the ICLA. The CCLA is for the case where an employer, rather than the individual, holds the IP rights to the work.
Every repo in the org runs the CLA Assistant Lite
GitHub Action (.github/workflows/cla.yml). When you open a pull request:
-
The bot checks whether every commit author in the PR has already signed.
-
If not, it posts a comment and sets a failing status check.
-
You sign by posting this exact comment on the PR:
I have read the CLA Document and I hereby sign the CLA
-
The bot records your signature and flips the check to passing.
You only sign once. The signature then applies to every verivus-oss repo.
A Corporate CLA is signed once by an authorized representative of the company, not through the PR bot:
- An authorized signer fills in and signs
CCLA.md, including Schedule A (the GitHub usernames of employees authorized to contribute). - Return the signed agreement to the Project Owner's designated contact (set this address before publicising the CCLA, e.g. [email protected]).
- A maintainer adds those usernames to the
allowlistin each repo'scla.yml(or they each also sign the ICLA), so their pull requests are accepted under the corporate agreement. - To change the covered employees later, send an updated Schedule A.
- Org members and bots are listed in the
allowlistinput of each repo'scla.ymland do not need to sign. - Signatures are stored in the private
verivus-oss/cla-signaturesrepo. No PAT is used: the "Verivus CLA Assistant" GitHub App mints a short-lived, repo-scoped token at runtime (actions/create-github-app-token) from the org-levelCLA_APP_IDvariable andCLA_APP_KEYsecret. - Both actions are pinned to commit SHAs. The CLA Assistant Lite action upstream
is archived (
ca4a40a7d1004f18d9960b404b97e5f30a505a08, v2.6.1), so review before bumping. - To revise an agreement, bump the version path (e.g.
signatures/version2/cla.json) so existing contributors re-sign the new text.