Skip to content

Fix CLA check to pass exempt users to CLA assistant action #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix CLA check to pass exempt users to CLA assistant action #4

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 4, 2025
edited
Loading

The check-membership step correctly identifies org members/collaborators as exempt, but this context was lost before reaching the cla-assistant action, causing false CLA signature requests.

Changes

  • New EXEMPT_USERNAMES collection: Tracks raw logins separately from the descriptive EXEMPT_USERS list
  • New job output exempt_usernames: Exposes exempt logins as comma-separated string
  • Dynamic allowlist: Appends exempt usernames to the CLA assistant's allowlist
# Now passes exempt users through to the allowlist
allowlist: >-
  bot*,
  *bot,
  ...
  github-code-quality*${{ needs.check-cla.outputs.exempt_usernames && format(',{0}', needs.check-cla.outputs.exempt_usernames) || '' }}
Original prompt

The cla-check.yml workflow is producing contradictory results where it asks organization members (who should be exempt) to sign the CLA. This happens because the check-membership step identifies them as exempt, but this information is not passed to the subsequent cla-assistant job. Consequently, the cla-assistant action re-evaluates the users and, lacking the context of their organization membership, flags them as needing to sign.

To fix this, you need to modify .github/workflows/cla-check.yml:

  1. Update the check-membership step:

    • Modify the bash script to collect the raw usernames (logins) of all exempt users (bots, collaborators, org members) into a list, separate from the existing EXEMPT_USERS list which contains descriptive text.
    • Output this list of logins as a new output variable named exempt_usernames. Use a comma-separated string format for this output to ensure it can be easily passed to the next job.

  2. Update the check-cla job outputs:

    • Expose the new exempt_usernames step output as a job output.

  3. Update the cla-assistant job:

    • In the CLA Assistant step, update the allowlist input.
    • Append the dynamic list of exempt usernames (retrieved from needs.check-cla.outputs.exempt_usernames) to the existing static allowlist patterns.

This change ensures that any user identified as exempt by the custom script in the first job is explicitly allowlisted in the actual CLA check action, preventing false positives.

This pull request was created as a result of the following prompt from Copilot chat.

The cla-check.yml workflow is producing contradictory results where it asks organization members (who should be exempt) to sign the CLA. This happens because the check-membership step identifies them as exempt, but this information is not passed to the subsequent cla-assistant job. Consequently, the cla-assistant action re-evaluates the users and, lacking the context of their organization membership, flags them as needing to sign.

To fix this, you need to modify .github/workflows/cla-check.yml:

  1. Update the check-membership step:

    • Modify the bash script to collect the raw usernames (logins) of all exempt users (bots, collaborators, org members) into a list, separate from the existing EXEMPT_USERS list which contains descriptive text.
    • Output this list of logins as a new output variable named exempt_usernames. Use a comma-separated string format for this output to ensure it can be easily passed to the next job.

  2. Update the check-cla job outputs:

    • Expose the new exempt_usernames step output as a job output.

  3. Update the cla-assistant job:

    • In the CLA Assistant step, update the allowlist input.
    • Append the dynamic list of exempt usernames (retrieved from needs.check-cla.outputs.exempt_usernames) to the existing static allowlist patterns.

This change ensures that any user identified as exempt by the custom script in the first job is explicitly allowlisted in the actual CLA check action, preventing false positives.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@bashandbone
Fix CLA check workflow to pass exempt users to CLA assistant action
04aa5ea 
Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix contradictory results in CLA check workflow Fix CLA check to pass exempt users to CLA assistant action Dec 4, 2025
Copilot AI requested a review from bashandbone December 4, 2025 00:49
@bashandbone bashandbone marked this pull request as ready for review December 4, 2025 01:04
Copilot AI review requested due to automatic review settings December 4, 2025 01:04
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical bug in the CLA check workflow where organization members and collaborators were incorrectly being asked to sign the CLA. The issue occurred because the check-membership step correctly identified exempt users, but this information wasn't passed to the cla-assistant action, causing it to re-evaluate users without proper context.

Key Changes

  • Added parallel tracking of exempt usernames alongside descriptive exempt user information
  • Exposed exempt usernames as a job output for cross-job communication
  • Dynamically appends exempt users to the CLA assistant's allowlist using GitHub Actions template expressions

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bashandbone bashandbone Awaiting requested review from bashandbone

Assignees

@bashandbone bashandbone

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bashandbone