roblox / cla-signature-bot Goto Github PK

Currently the app needs a PAT (tied to a specific account) to perform auth for the remote repository. Modify this to allow for GitHub App auth instead, allowing the action to authenticate as an app. The app should only need repo read/write scopes to be able to read and write to the cla.json file in the remote repo, nothing more.

Describe the bug
I try to use the CLA-Signature bot with the described configuration. The bot is started but cannot be downloaded. The error message is

Failed to resolve action download info. Error: Unable to resolve action `Roblox/[email protected]`, unable to find version `2.0.1`

I tried the following definitions for uses in the script:

• uses: roblox/[email protected] (this is the one used in the documentation)
• uses: roblox/[email protected] (based on the current latest release)
• uses: roblox/cla-assistant is not accepted
• uses: https://github.com/roblox/[email protected] is also not accepted

To Reproduce
Steps to reproduce the behavior:

1. Use the script as defined in https://github.com/Roblox/cla-signature-bot/blob/master/README.md
2. In an existing issue on your repository, add a new comment
3. Go to the Actions tab of your repository to see the error

Expected behavior
GitHub actions should be able to download the bot.

Log

Current runner version: '2.275.1'
Operating System
Virtual Environment
Prepare workflow directory
Prepare all required actions
Getting action download info
Failed to resolve action download info. Error: Unable to resolve action `Roblox/[email protected]`, unable to find version `2.0.1`
Retrying in 20.256 seconds
Failed to resolve action download info. Error: Unable to resolve action `Roblox/[email protected]`, unable to find version `2.0.1`
Retrying in 11.918 seconds
Error: Failed to resolve action download info.

Describe the bug

When opening a fork-based PR the secret value for the remote repo PAT is not supplied for security reasons. This causes an error as that input is marked as required and it is blank.

To Reproduce

Open a PR from a fork.

Suggested fix:

Add a unit test for this situation as it should be handled gracefully. The remote repo should be anonymous-readable so that the PAT is not mandatory for read operations.

On the other hand, if we attempt to write to a remote repo while we lack a remote repo PAT we should fail.

Describe the bug
After making a comment on an issue on a repo with the CLA bot, it sent me an email that it had failed.
https://github.com/Roblox/testez/actions/runs/172094273

This did not stop me from commenting BTW.

Expected behavior
The CLA bot probably shouldn't run at all for issues and issue comments.

It requires some duplicated effort to maintain an employee whitelist across many repositories in the same organization.

It would be great to support pulling the contributor whitelist from a central repository, perhaps the same repository that contains who has signed the CLA.

The current recommendation is that employees be added to the whitelist for the CLA bot, but this needs to be done for each employee for each repo. Some way to automate this would help a lot. Probably the simplest option would be to allow the bot to accept teams in its whitelist.