iterating cla automation

dovholuknf · dovholuknf · commit 8d48a1dad6e9 · 2026-02-04T08:38:35.000-05:00
diff --git a/.github/workflows/cla-workflow.yml b/.github/workflows/cla-workflow.yml
@@ -0,0 +1,65 @@
+# Reusable CLA Workflow
+# Called by other repositories to check CLA signatures
+#
+# Usage in other repos:
+#   jobs:
+#     cla:
+#       uses: netfoundry/cla/.github/workflows/cla-workflow.yml@main
+#       secrets: inherit
+
+name: "CLA Workflow"
+
+on:
+  workflow_call:
+    secrets:
+      CLA_APP_ID:
+        required: true
+      CLA_APP_PRIVATE_KEY:
+        required: true
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    # Skip CLA check for org members/owners (they're covered by employment agreement)
+    # But always run for issue_comment events (to process signatures)
+    if: |
+      github.event_name == 'issue_comment' ||
+      (github.event_name == 'pull_request_target' &&
+       github.event.pull_request.author_association != 'MEMBER' &&
+       github.event.pull_request.author_association != 'OWNER')
+    steps:
+      - name: Debug - Workflow Version
+        run: echo "CLA Workflow v3 - Reusable workflow with GitHub App auth (2026-02-04)"
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CLA_APP_ID }}
+          private-key: ${{ secrets.CLA_APP_PRIVATE_KEY }}
+          owner: netfoundry
+          repositories: cla
+
+      - name: Debug - Token Generated
+        run: |
+          if [ -n "${{ steps.app-token.outputs.token }}" ]; then
+            echo "Token generated successfully (length: ${#TOKEN})"
+          else
+            echo "ERROR: Token is empty - check GitHub App setup and secrets"
+          fi
+        env:
+          TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          path-to-signatures: 'signatures/cla.json'
+          path-to-document: 'https://netfoundry.io/docs/assets/files/NetFoundry-ICLA-32974791ae564dd1878a7d2ab1ab8d5e.pdf'
+          branch: 'main'
+          allowlist: dependabot[bot],renovate[bot],github-actions[bot],bot*
+          remote-organization-name: netfoundry
+          remote-repository-name: cla
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -1,4 +1,8 @@
+# CLA Check for this repository
+# Uses the reusable workflow defined in cla-workflow.yml
+
 name: "CLA Assistant"
+
 on:
   issue_comment:
     types: [created]
@@ -12,45 +16,6 @@ permissions:
   statuses: write
 
 jobs:
-  CLAAssistant:
-    runs-on: ubuntu-latest
-    # Skip CLA check for org members/owners (they're covered by employment agreement)
-    # But always run for issue_comment events (to process signatures)
-    if: |
-      github.event_name == 'issue_comment' ||
-      (github.event_name == 'pull_request_target' &&
-       github.event.pull_request.author_association != 'MEMBER' &&
-       github.event.pull_request.author_association != 'OWNER')
-    steps:
-      - name: Debug - Workflow Version
-        run: echo "CLA Workflow v2 - Using GitHub App authentication (2026-02-04)"
-
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CLA_APP_ID }}
-          private-key: ${{ secrets.CLA_APP_PRIVATE_KEY }}
-
-      - name: Debug - Token Generated
-        run: |
-          if [ -n "${{ steps.app-token.outputs.token }}" ]; then
-            echo "Token generated successfully (length: ${#TOKEN})"
-          else
-            echo "ERROR: Token is empty - check GitHub App setup and secrets"
-          fi
-        env:
-          TOKEN: ${{ steps.app-token.outputs.token }}
-
-      - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-        with:
-          path-to-signatures: 'signatures/cla.json'
-          path-to-document: 'https://netfoundry.io/docs/assets/files/NetFoundry-ICLA-32974791ae564dd1878a7d2ab1ab8d5e.pdf'
-          branch: 'main'
-          allowlist: dependabot[bot],renovate[bot],github-actions[bot],bot*
-          lock-pullrequest-aftermerge: false
+  cla:
+    uses: netfoundry/cla/.github/workflows/cla-workflow.yml@main
+    secrets: inherit
diff --git a/workflow-template/cla.yml b/workflow-template/cla.yml
@@ -3,11 +3,11 @@
 # Copy this file to .github/workflows/cla.yml in any repository that should
 # require CLA signatures from contributors.
 #
-# REQUIRED: Add CLA_APP_ID and CLA_APP_PRIVATE_KEY as organization secrets.
-# These should be from a GitHub App with Contents (read/write) access
-# to the netfoundry/cla repository.
+# REQUIRED: Add CLA_APP_ID and CLA_APP_PRIVATE_KEY as organization secrets
+# accessible to this repository.
 
 name: "CLA Check"
+
 on:
   issue_comment:
     types: [created]
@@ -21,35 +21,6 @@ permissions:
   statuses: write
 
 jobs:
-  CLAAssistant:
-    runs-on: ubuntu-latest
-    # Skip CLA check for org members/owners (they're covered by employment agreement)
-    # But always run for issue_comment events (to process signatures)
-    if: |
-      github.event_name == 'issue_comment' ||
-      (github.event_name == 'pull_request_target' &&
-       github.event.pull_request.author_association != 'MEMBER' &&
-       github.event.pull_request.author_association != 'OWNER')
-    steps:
-      - name: Generate GitHub App Token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CLA_APP_ID }}
-          private-key: ${{ secrets.CLA_APP_PRIVATE_KEY }}
-          owner: netfoundry
-          repositories: cla
-
-      - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-        with:
-          path-to-signatures: 'signatures/cla.json'
-          path-to-document: 'https://netfoundry.io/docs/assets/files/NetFoundry-ICLA-32974791ae564dd1878a7d2ab1ab8d5e.pdf'
-          branch: 'main'
-          allowlist: dependabot[bot],renovate[bot],github-actions[bot],bot*
-          remote-organization-name: 'netfoundry'
-          remote-repository-name: 'cla'
+  cla:
+    uses: netfoundry/cla/.github/workflows/cla-workflow.yml@main
+    secrets: inherit
