ci: add CLA Assistant workflow and fix CLA.md

[carlos-alm]

Summary

• Adds .github/workflows/cla.yml using CLA Assistant Lite (v2.6.1) to enforce CLA signing on all PRs
• Fixes all issues from Greptile review on docs: add Contributor License Agreement (CLA) #243 and adds missing sections to CLA.md
• Updates CONTRIBUTING.md with CLA signing instructions

CLA.md fixes (addresses #243 review feedback)

Issue	Fix
Inconsistent control definition formatting (Roman numerals)	Changed i. / ii. / iii. to (a) / (b) / (c)
Section reference error ("section 7")	Corrected to "section 6" (Third-Party Submissions)
Capitalization inconsistency in Patent section	Fixed your/you → Your/You to match document convention
Missing signature/acceptance process	Added Acceptance section documenting the CLA bot flow
Missing jurisdiction	Added Governing Law clause — Province of Alberta, Canada

Workflow design choices

• branch: "cla-signatures" — stores signatures on a dedicated branch instead of main, avoiding branch protection issues and keeping main clean
• GITHUB_TOKEN — sufficient since cla-signatures is unprotected (no PAT needed)
• Minimal allowlist — only dependabot[bot] and github-actions[bot] (everyone else signs)

Supersedes #243.

Test plan

• Verify CLA workflow triggers on this PR itself
• Verify bot posts signing instructions on a test PR from a non-signed contributor
• After merge, add CLA signature check as required status in branch protection (manual)

[greptile-apps]

Greptile Summary

This PR adds CLA enforcement infrastructure and addresses all feedback from #243. The implementation is clean and follows best practices:

• The workflow uses CLA Assistant Lite v2.6.1 with appropriate pull_request_target trigger and write permissions
• All issues from the previous review have been fixed: formatting consistency (Roman numerals → letters), section reference correction, capitalization fixes, and addition of missing Acceptance and Governing Law sections
• The CLA.md document is well-structured with standard legal language appropriate for an open-source project- CONTRIBUTING.md provides clear, step-by-step signing instructions that match the workflow's expected comment text
• The design choice to use a cla-signatures branch avoids branch protection conflicts

One minor enhancement: the workflow supports a recheck command that isn't documented in the contributor-facing documentation.

Confidence Score: 5/5

• This PR is safe to merge - it's a well-designed documentation and configuration change with no code execution risks
• All files are documentation or workflow configuration with no functional code changes. The CLA workflow follows security best practices (appropriate use of pull_request_target, correct permissions, pinned action version). All previous review feedback has been addressed comprehensively.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/cla.yml	Added CLA Assistant workflow with appropriate permissions and triggers
CLA.md	New CLA document with all required sections, addresses all feedback from #243
CONTRIBUTING.md	Updated with clear CLA signing instructions for contributors

_{Last reviewed commit: 6edaf60}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Consider documenting the recheck command - users can comment recheck on a PR to re-trigger the CLA check

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[carlos-alm]

Good catch — added a note about the recheck command to the CLA signing instructions in CONTRIBUTING.md.

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete

Reviewing PR #244: ci: add CLA Assistant workflow and fix CLA.md

Review Checklist

• Phase 1: Root Cause Analysis
• Phase 2: Configuration Change Detection
• Phase 3: Test Integrity Check
• Phase 4: Code Quality Review
• Final Assessment and Rating

Phase 1: Root Cause Analysis

Problem Being Solved: This PR establishes CLA enforcement infrastructure to require legal contributor agreements before code can be merged. This addresses a legitimate business need for IP protection on an open-source project.

Why This Approach: Uses the industry-standard CLA Assistant Lite GitHub Action to automate signature collection and verification. The choice of a dedicated cla-signatures branch is sound architectural practice that avoids polluting main branch history.

Risk Assessment: ✅ LOW RISK - This is purely additive infrastructure with no code execution risks.

Phase 2: Configuration Change Detection

Workflow Security Analysis (.github/workflows/cla.yml):

• ✅ Pinned action version: v2.6.1 (secure practice)
• ✅ Appropriate trigger: pull_request_target is correct for external PRs
• ✅ Minimal permissions: Only grants necessary write permissions (actions, contents, pull-requests, statuses)
• ✅ Safe token usage: Uses standard GITHUB_TOKEN (sufficient for unprotected branch)
• ✅ Comment validation: Proper conditional logic for signature text and recheck command
• ✅ Bot allowlist: Correctly excludes automated bots

Configuration Assessment: ✅ SECURE - Follows GitHub Actions security best practices

Phase 3: Test Integrity Check

✅ NO TEST MODIFICATIONS - This PR adds only documentation and workflow configuration. No test files were modified, no test expectations were weakened, and no test coverage was reduced.

Phase 4: Code Quality Review

CLA Document Analysis (CLA.md):

• ✅ Complete legal framework: All standard CLA sections present (copyright, patent, representations, third-party)
• ✅ Greptile feedback addressed: Fixed formatting consistency (a/b/c vs i/ii/iii), section references, capitalization
• ✅ Added missing sections: Acceptance process and governing law (Alberta, Canada)
• ✅ Clear signature process: Exact comment text matches workflow expectations

CONTRIBUTING.md Updates:

• ✅ Clear instructions: Step-by-step CLA signing process
• ✅ Documentation enhancement: Added recheck command documentation (addresses review feedback)
• ✅ Appropriate placement: CLA section positioned early in contribution workflow
• ✅ Consistent messaging: Signature text matches workflow configuration exactly

Technical Implementation:

• ✅ Path consistency: CLA document URL (/blob/main/CLA.md) will resolve correctly
• ✅ Branch isolation: cla-signatures branch avoids main branch pollution
• ✅ Minimal allowlist: Only excludes legitimate automation accounts
• ✅ One-time signing: Clearly documented that signature applies to future contributions

Minor Observations

• The workflow correctly supports both the main signature comment and recheck command
• Documentation updates are comprehensive and user-friendly
• Legal language is appropriate for an open-source project with corporate backing

Root Cause Analysis

Problem Being Solved: Establishing legal IP protection framework for open-source project
Why This Approach: Industry-standard automated CLA enforcement with proper branch isolation
Risk Assessment: Minimal risk - pure documentation/workflow addition with security best practices

Final Recommendation

• Rating: ⭐⭐⭐⭐☆ (4/5)
• Action: APPROVE
• Reasoning: Well-implemented CLA infrastructure following security best practices. All previous review feedback has been comprehensively addressed. The implementation is clean, secure, and appropriately documented. Minor deduction for being process/legal infrastructure rather than functional enhancement, but this is necessary foundational work for the project.

---

[carlos-alm]

@greptileai