Skip to content

Replace CLA workflow with centralized reusable workflow#3168

Merged
liquidsec merged 1 commit into
blacklanternsecurity:devfrom
aconite33:fix/cla-reusable-workflow
Jun 12, 2026
Merged

Replace CLA workflow with centralized reusable workflow#3168
liquidsec merged 1 commit into
blacklanternsecurity:devfrom
aconite33:fix/cla-reusable-workflow

Conversation

@aconite33

Copy link
Copy Markdown
Contributor

Summary

  • Replaces bbot's 98-line inline CLA workflow with a ~10-line thin caller that references the new reusable workflow in blacklanternsecurity/.github
  • All CLA logic is now maintained in one place — fixes and improvements apply to every repo that adopts this pattern
  • Fixes the org-member allowlist bug observed on PR Extract IPs and CIDRs from SPF TXT records #3144, where liquidsec was flagged as unsigned despite being a BLS org member

What changed

Before: bbot had its own full CLA workflow with all the logic inline. The pre-check step identified org members as exempt, but didn't pass that information to the CLA Assistant action — so org members who committed to external PRs were falsely flagged.

After: bbot's cla.yml is just:

jobs:
  cla:
    uses: blacklanternsecurity/.github/.github/workflows/cla-reusable.yml@main
    secrets: inherit

The reusable workflow (blacklanternsecurity/.github#1) handles everything, including dynamically adding org members to the CLA Assistant's allowlist.

Dependencies

  • Requires blacklanternsecurity/.github#1 to be merged first

Test plan

  • Merge blacklanternsecurity/.github#1 first
  • Merge this PR
  • Retrigger CLA on PR Extract IPs and CIDRs from SPF TXT records #3144liquidsec should pass, only thunderstornX evaluated for CLA
  • Open a test PR from an org member — CLA should be skipped entirely
  • Open a test PR from a non-member — CLA should be required as before

Replaces the full inline CLA workflow with a thin caller that references
the reusable workflow in blacklanternsecurity/.github. CLA logic is now
maintained in one place across all BLS repos.

This also fixes the bug where org members (e.g. liquidsec) were flagged
as unsigned when they committed to an external contributor's PR (blacklanternsecurity#3144).

Depends on: blacklanternsecurity/.github#1
@liquidsec liquidsec merged commit dfd4a38 into blacklanternsecurity:dev Jun 12, 2026
15 of 17 checks passed
@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91%. Comparing base (23b2563) to head (8faf12e).
⚠️ Report is 9 commits behind head on dev.

Additional details and impacted files
@@          Coverage Diff          @@
##             dev   #3168   +/-   ##
=====================================
+ Coverage     91%     91%   +1%     
=====================================
  Files        448     448           
  Lines      42654   42654           
=====================================
+ Hits       38397   38408   +11     
+ Misses      4257    4246   -11     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants