Skip to content
/ cla-bot Public

GitHub App that checks contributors have signed Adobe's CLA (or are Adobe/Magento employees)


Notifications You must be signed in to change notification settings


Adobe CLA Bot Build Status

This is a GitHub App that checks that pull request issuers to [] have signed the Adobe CLA.

You can install the app by visiting the GitHub App page for it.


This repo is implemented as a GitHub App together with a set of Adobe Runtime actions. The app has its Webhook URL configured to point to the checker action (more on that below).

This repo contains three actions, which are functions that run on a serverless (function as a service, or FaaS) platform:

  • ./checker contains an action that runs on every [] pull request open, close and synchronize. Checker's job is to check if the user submitting the pull request has signed the CLA or if the user is an Adobe or Magento employee (by checking [] or magento organization membership).
  • ./setgithubcheck contains an action that interacts with the GitHub REST API's Checks API to set checkmarks on pull requests. It is invoked by other actions to communicate pass/fail to pull request authors.
  • ./lookup contains an action that accepts agreement_ids as agreements parameter, interacts with Adobe Sign formData APIs, it parses the formData of all the agreements to lookup the GitHub usernames in the agreements and returns a consolidated list of GitHub usernames.
  • ./signwebhook contains an action that receives event payloads from Adobe Sign when users sign our CLA agreement. This enables a push-based flow and foregoes the user having to take additional steps after they sign our CLA. This action will look up the details of the signed agreement, extract the user's GitHub username, and then search through our orgs for any open pull requests from the user, and finally invoke the ./setgithubcheck action to set a nice green checkmark on their PRs.


For all actions, make sure to copy config-sample.json from the root into the relevant folders, rename it to config.json and populate it with the correct information.

Running Tests

Make sure you've npm installed, then simply npm test. This will run the lint and unit tests. You can also invoke each of these individually with npm run lint and npm run test:unit.

Integration Tests

There are also integration tests against, though you need several special environment variables representing personal access tokens to several accounts to run them correctly. It is expected only maintainers of this repo have access to them, and they are also stored in travis-ci as encrypted environment variables. These tests can be run via npm run test:integration.

The account credentials for these accounts are stored in the Adobe Open Source Office secure credentials location, and only Open Source Office members are expected to have access to them.

Runtime Actions

These instructions assume you already have openwhisk and a runtime namespace setup. See this workshop if you haven't.


Deployment is automated via the script.

We maintain two environments, and thus two apps: the production environment and a staging environment. We also have a staging GitHub app for use with running integration tests.

Each action's name when deployed on Adobe Runtime is cla- + the action name (subdirectory), i.e. cla-lookup, cla-checker, cla-setgithubcheck and cla-signwebhook. When deploying to the staging environment, these action names are additionally suffixed with -stage.

Creating New Actions

It is best to create a new directory by copying one of the existing action directories and editing the script to create rather than update using the wsk CLI tools.

Updating Existing Actions

If you need to update a runtime action, use our handy deploy script:

./ lookup
./ setgithubcheck
./ checker
./ signwebhook

The above will deploy these actions to our staging environment for use by our staging GitHub app. You can deploy to production via:

./ lookup production
./ setgithubcheck production
./ checker production
./ signwebhook production

NOTE: The signwebhook action only runs in production.

Creating a GitHub App

This bot is implemented as a GitHub App. It can be installed on individual repositories or organizations, and sends GitHub webhook events from repos/orgs it is installed on to the ./checker action. To set the GitHub App up:

  1. In your Organization Settings, under Developer Settings, click on GitHub Apps.
  2. Click New GitHub App.
  3. Fill out a name and description for your App.
  4. Fill out the Webhook URL to match the URL of your checker action. If you have not deployed the checker action yet, follow the above instructions on Creating New Actions. If you have already deployed this action, see below for information on how to retrieve the URL of the action.
  5. Under the Permissions section, give the App Read and Write access to Checks, Read-only access to Repository Metadata, Read-only access to Pull Requests and Read and Write access to Commit Statuses.
  6. Leave the User Permissions as-is.
  7. Under Subscribe to Events, check Pull Requests.

Once created, you will have the chance to generate and store a Private Key. Keep this and add it to your config.json file! You will also want to make note of the GitHub App ID - again, this goes into your config.json. Finally, you will want to Install the app in to your organizations or repositories of choice. You can do so from the same Settings page of the App.


Check GitHub App Deliveries

You can go check GitHub webhook delivery payloads and responses on the CLA Bot's App Advanced Settings.

Check Logs on Adobe Runtime

Get list of action invocations, or activations, that executed in our namespace:

wsk activation list

Copy the most-recent-activation number related to your particular action and retrieve its logs:

wsk activation get ACTIVATION-LIST-NUMBER

Getting URL of Actions

Protip, run the following command to get the URL of the action to use for setting up the GitHub App correctly:

wsk action get cla-checker --url


Contributions are welcomed! Read the Contributing Guide for more information.


This project is licensed under the Apache V2 License. See LICENSE for more information.


GitHub App that checks contributors have signed Adobe's CLA (or are Adobe/Magento employees)




Code of conduct

Security policy





No releases published


No packages published