Skip to content

verivus-oss/cla

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

verivus-oss Contributor License Agreements

This repository hosts the Contributor License Agreements (CLAs) for all open-source projects in the verivus-oss organization.

  • CLA.md is the Individual CLA (ICLA) that individual contributors accept.
  • CCLA.md is the Corporate CLA (CCLA) for organizations whose employees contribute on the organization's behalf.
  • Individual signatures are recorded automatically in the private verivus-oss/cla-signatures repository (not public), keyed by GitHub username.

Most contributors only need the ICLA. The CCLA is for the case where an employer, rather than the individual, holds the IP rights to the work.

How individual signing works

Every repo in the org runs the CLA Assistant Lite GitHub Action (.github/workflows/cla.yml). When you open a pull request:

  1. The bot checks whether every commit author in the PR has already signed.

  2. If not, it posts a comment and sets a failing status check.

  3. You sign by posting this exact comment on the PR:

    I have read the CLA Document and I hereby sign the CLA

  4. The bot records your signature and flips the check to passing.

You only sign once. The signature then applies to every verivus-oss repo.

How corporate signing works

A Corporate CLA is signed once by an authorized representative of the company, not through the PR bot:

  1. An authorized signer fills in and signs CCLA.md, including Schedule A (the GitHub usernames of employees authorized to contribute).
  2. Return the signed agreement to the Project Owner's designated contact (set this address before publicising the CCLA, e.g. [email protected]).
  3. A maintainer adds those usernames to the allowlist in each repo's cla.yml (or they each also sign the ICLA), so their pull requests are accepted under the corporate agreement.
  4. To change the covered employees later, send an updated Schedule A.

For maintainers

  • Org members and bots are listed in the allowlist input of each repo's cla.yml and do not need to sign.
  • Signatures are stored in the private verivus-oss/cla-signatures repo. No PAT is used: the "Verivus CLA Assistant" GitHub App mints a short-lived, repo-scoped token at runtime (actions/create-github-app-token) from the org-level CLA_APP_ID variable and CLA_APP_KEY secret.
  • Both actions are pinned to commit SHAs. The CLA Assistant Lite action upstream is archived (ca4a40a7d1004f18d9960b404b97e5f30a505a08, v2.6.1), so review before bumping.
  • To revise an agreement, bump the version path (e.g. signatures/version2/cla.json) so existing contributors re-sign the new text.

About

Contributor License Agreement for all verivus-oss projects

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors