Skip to content

Fix CLA check failing for org member commits on external PRs#3167

Closed
aconite33 wants to merge 1 commit into
blacklanternsecurity:devfrom
aconite33:fix/cla-org-member-allowlist
Closed

Fix CLA check failing for org member commits on external PRs#3167
aconite33 wants to merge 1 commit into
blacklanternsecurity:devfrom
aconite33:fix/cla-org-member-allowlist

Conversation

@aconite33

Copy link
Copy Markdown
Contributor

Summary

  • Fixes the CLA workflow falsely flagging org members (e.g. liquidsec) as unsigned when they commit to a PR opened by an external contributor
  • The pre-check step already identifies org members as exempt, but previously didn't pass that information to the CLA Assistant action — which re-evaluated all committers against a hardcoded bot-only allowlist
  • Collects exempt logins (org members + bots) during the pre-check loop and appends them to the CLA Assistant's allowlist parameter
  • Changes break to continue so all committers are checked instead of stopping at the first non-exempt one

Context

Observed on PR #3144liquidsec merged dev into the branch, adding his commits. The CLA bot then flagged him as unsigned despite being a BLS org member, because the CLA Assistant step's allowlist only contained dependabot[bot],github-actions[bot],renovate[bot].

Note: The same bug exists in other BLS repos that copied this workflow (e.g. baddns, blockbuster). The master template in blacklanternsecurity/.github uses a simpler author-only check that avoids this, but doesn't cover all committers. Those repos may want the same fix.

Test plan

  • Retrigger CLA check on PR Extract IPs and CIDRs from SPF TXT records #3144liquidsec should now be allowlisted and only thunderstornX should be evaluated for CLA signature
  • Verify a PR with only org-member commits still skips CLA entirely (existing behavior, unchanged)
  • Verify a PR from a new external contributor still requires CLA signature

The pre-check step correctly identifies org members and bots as exempt,
but when the CLA Assistant step runs (because at least one external
committer exists), it re-evaluates all committers against a hardcoded
allowlist that only includes bot accounts. This causes org members like
liquidsec to be flagged as unsigned when they merge or commit to a PR
from an external contributor.

Fix by collecting exempt logins during the pre-check loop and appending
them to the CLA Assistant's dynamic allowlist. Also changes break to
continue so all committers are checked instead of stopping at the first
non-exempt one.
@aconite33

Copy link
Copy Markdown
Contributor Author

Superseded — centralizing the CLA workflow as a reusable workflow in blacklanternsecurity/.github instead (PR blacklanternsecurity/.github#1). Will open a new PR against bbot with a thin caller.

@aconite33 aconite33 closed this Jun 12, 2026
@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91%. Comparing base (23b2563) to head (bec5926).
⚠️ Report is 2 commits behind head on dev.

Additional details and impacted files
@@          Coverage Diff          @@
##             dev   #3167   +/-   ##
=====================================
+ Coverage     91%     91%   +1%     
=====================================
  Files        448     448           
  Lines      42654   42654           
=====================================
+ Hits       38397   38402    +5     
+ Misses      4257    4252    -5     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant