ci: bump cla-github-action to 1ecf0d2f (impersonation guard, co-author trailers)#73
Merged
ci: bump cla-github-action to 1ecf0d2f (impersonation guard, co-author trailers)#73
Conversation
…r trailers) Bumps the CLA assistant action from `eeb7f3f` (v2.7.1) to `1ecf0d2f`. What's new in the action: - Impersonation guard (require-opener-as-author input, default true): fails the check if the PR opener is not recorded as an author or Co-authored-by of any commit in the PR. Runs before the allowlist filter. - PR opener and Co-authored-by trailers join the committer set — previously only commit.author was checked. Noreply-form trailer emails are parsed directly to login/id. - Actionable unlinked-email guidance: when a commit author's email is not linked to any GitHub user, the bot posts a warning block listing each unlinked email with concrete remediation. - Dead-404-path bugfix (signatures-file bootstrap now works first-time). Buffa adopted the new pin in anthropics/buffa#72 on 2026-04-28. Note: pull_request_target runs the workflow from the base branch, so this PR's own CLA check still uses the old eeb7f3f pin. The new action is first exercised on the next PR opened/synced after merge. Fixes #72
kollektiv
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the CLA assistant action from
eeb7f3f(v2.7.1) to1ecf0d2f.What's new in the action
require-opener-as-authorinput (defaulttrue): fails the check if the PR opener is not recorded as an author orCo-authored-byof any commit in the PR. Guards against an attacker opening a PR whose commits are attributed to a trusted identity. Emits anopener_not_in_commitsoutput regardless of pass/fail. Runs before the allowlist filter, so allowlisted maintainers are not exempt.Co-authored-by:trailers join the committer set — previously onlycommit.authorwas checked. The PR submitter and any co-author trailers must now also sign (or be allowlisted). Noreply-form trailer emails (<id>+<login>@users.noreply.github.com) are parsed directly to login/id.> [!WARNING]block listing each unlinked email with concrete remediation (link at github.com/settings/emails, or rewrite commands).signed-empty-commit-messageinput (we don't use it).Config
Kept
require-opener-as-authorat the defaulttrue. No new inputs wired. Allowlist preserved verbatim.Operational impact
Co-authored-by:trailer, so no opener mismatch. They are now correctly required to sign.Co-authored-by: <login> <id+login@users.noreply.github.com>for the PR opener, or the impersonation guard will fail the check.Note
pull_request_targetruns the workflow from the base branch, so this PR's own CLA check still uses the oldeeb7f3fpin. The new action is first exercised on the next PR opened/synced after this merges.Fixes #72