ci: harden CLA username matching and batch-PR handling#342
Open
prasanna-anchorage wants to merge 1 commit into
Open
ci: harden CLA username matching and batch-PR handling#342prasanna-anchorage wants to merge 1 commit into
prasanna-anchorage wants to merge 1 commit into
Conversation
Found while porting this CLA flow to anchorageoss/sqisign-rs; these are latent here too: - Match signers with `grep -Fxq` (fixed-string, whole-line) instead of `grep -q -w`, so logins containing regex metacharacters -- e.g. `github-actions[bot]`, `dependabot[bot]` -- aren't mis-parsed (the `[` starts a character class and can error or false-negative). Also treat a missing `.cla-signed-users` as "not signed" rather than erroring. - Add a `concurrency` group on the shared `cla-signers-batch` branch so simultaneous `/approve-cla` runs don't race on the push. - Parse the new batch PR number from the `gh pr create` URL (trailing number) instead of a `#NNN` pattern that never matches a URL (leaving the follow-up comment blank). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens CLA automation workflows by making username checks safer for bot-style GitHub logins and improving batch CLA signer PR handling.
Changes:
- Replaces regex/word-boundary username matching with fixed-string whole-line matching.
- Adds serialization for shared
cla-signers-batchworkflow updates. - Fixes batch PR number extraction from
gh pr createURL output.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/cla-file-check.yml |
Safely checks CLA signer usernames and treats a missing signer file as unsigned. |
.github/workflows/add-cla-user.yml |
Serializes batch signer updates, uses fixed-string username checks, and parses created PR numbers from URLs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Latent robustness fixes in the CLA workflows, found while porting this flow to
anchorageoss/sqisign-rs(Copilot flagged them there; the same code lives here).cla-file-check.yml,add-cla-user.yml×2): replacegrep -q -w "$user"withgrep -Fxq "$user"(fixed-string, whole-line). GitHub logins likegithub-actions[bot]/dependabot[bot]contain[whichgrep -wtreats as a regex character class — it can error or false-negative. Also tolerate a missing.cla-signed-users(treat as unsigned) instead of erroring.add-cla-user.yml): add aconcurrencygroup oncla-signers-batch(no cancel-in-progress) so two near-simultaneous/approve-claruns don't race on the push and drop a signer.add-cla-user.yml):gh pr createprints the PR URL (…/pull/123), sogrep -o '#[0-9]\+'matched nothing and leftNEW_PRblank (broken follow-up comment). Parse the trailing number from the URL instead.No behavior change for already-listed human signers; this only fixes bot logins, the concurrency race, and the empty PR-number bug.
Test
actionlint/YAML parse clean. The matching change is verifiable:printf 'github-actions[bot]\n' | grep -Fxq 'github-actions[bot]'succeeds, whereasgrep -werrors/misbehaves on the[.🤖 Generated with Claude Code