Skip to content

ci: bump cla-github-action to 1ecf0d2f (impersonation guard, co-author trailers)#72

Merged
iainmcgin merged 1 commit intomainfrom
ci/cla-action-bump
Apr 28, 2026
Merged

ci: bump cla-github-action to 1ecf0d2f (impersonation guard, co-author trailers)#72
iainmcgin merged 1 commit intomainfrom
ci/cla-action-bump

Conversation

@iainmcgin
Copy link
Copy Markdown
Collaborator

@iainmcgin iainmcgin commented Apr 27, 2026

Bumps the CLA assistant action from eeb7f3f (v2.7.1) to 1ecf0d2f (28 commits).

What's new in the action

  • Impersonation guard — new require-opener-as-author input (default true): fails the check if the PR opener is not recorded as an author or Co-authored-by of any commit in the PR. Guards against an attacker opening a PR whose commits are attributed to a trusted identity. Emits an opener_not_in_commits output regardless of pass/fail. Runs before the allowlist filter, so allowlisted maintainers are not exempt.
  • PR opener and Co-authored-by: trailers join the committer set — previously only commit.author was checked. The PR submitter and any co-author trailers must now also sign (or be allowlisted). Noreply-form trailer emails (<id>+<login>@users.noreply.github.com) are parsed directly to login/id.
  • Actionable unlinked-email guidance — when a commit author's email is not linked to any GitHub user, the bot now posts a > [!WARNING] block listing each unlinked email with concrete remediation (link at github.com/settings/emails, or rewrite commands).
  • Dead-404-path bugfix (signatures-file bootstrap now works first-time), broken-markdown fix in the signed list, pagination for comments/runs/commits, TypeScript 6, knip/publint/actionlint.
  • Removed signed-empty-commit-message input (we don't use it).

Config

Kept require-opener-as-author at the default true. No new inputs wired.

Operational impact

  • Author-rewrite for unlinked-email contributors (e.g. hobostay) — still works: the contributor is the PR opener and appears via the Co-authored-by: trailer, so no opener mismatch. They are now correctly required to sign.
  • Signed-squash for unsigned fork commits — the squash commit message must include Co-authored-by: <login> <id+login@users.noreply.github.com> for the PR opener, or the impersonation guard will fail the check. (The squash makes the maintainer the sole commit author; without the trailer the opener is absent from the authorship trail.)

Note

pull_request_target runs the workflow from the base branch, so this PR's own CLA check still uses the old eeb7f3f pin. The new action is first exercised on the next PR opened/synced after this merges.

@iainmcgin
ci: bump cla-github-action to 1ecf0d2f
fabf653 
Adopts the impersonation guard (PR opener must appear as an author or
co-author of at least one commit; require-opener-as-author defaults to
true), Co-authored-by trailer support in the committer set, and the
actionable unlinked-email warning block. Also picks up the dead-404-path
bootstrap fix, pagination, and the TS6/tooling cleanup pass.

The signed-squash workaround for unsigned fork commits must now include a
Co-authored-by trailer for the PR opener, or the impersonation guard will
fail the check.
@iainmcgin iainmcgin marked this pull request as ready for review April 28, 2026 00:12
@iainmcgin iainmcgin requested a review from asacamano April 28, 2026 00:16
@iainmcgin iainmcgin enabled auto-merge (squash) April 28, 2026 00:17
@iainmcgin iainmcgin merged commit b237f28 into main Apr 28, 2026
7 checks passed
@iainmcgin iainmcgin deleted the ci/cla-action-bump branch April 28, 2026 00:20
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@asacamano asacamano asacamano approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iainmcgin @asacamano