chore: migrate to CLA Assistant GitHub Action

[Anshgrover23]

Summary

• Replace custom CLA system with contributor-assistant/github-action
• Add all 25 existing signers to allowlist (no re-signing needed)
• New contributors sign by commenting on their PR
• Signatures stored in signatures/cla.json (auto-created)

Changes

Deleted	Added
.github/workflows/cla-check.yml	.github/workflows/cla.yml
.github/scripts/cla_check.py (390 lines)
.github/cla-signers.json
.github/ISSUE_TEMPLATE/cla-signature.yml

Result: 814 lines removed, 50 lines added

New Contributor Flow

1. Opens PR
2. Bot comments: "Please sign by commenting: I have read the CLA Document and I hereby sign the CLA"
3. Contributor comments that exact text
4. Signature saved to signatures/cla.json automatically
5. PR status turns green ✅

Existing Signers

All 25 existing signers are in the allowlist - they don't need to re-sign:

mikejmorgan-ai, pavanimanchala53, SWAROOP323, Sahilbhatane, sujay-d07, 
Anshgrover23, Kesavaraja67, lu11y0, Suyashd999, Dhruv-89, RIVALHIDE, 
dhvll, ShreeJejurikar, aybanda, murataslan1, divanshu-go, rakesh0x, 
tuanwannafly, altynai9128, Omkar1701, jaysurse, KrishnaShuk, 
Piyushrathoree, jeremylongshore, srikrishnavansi

Test plan

• Merge this PR
• Test with a new contributor PR - should see CLA comment
• Test existing contributor PR - should pass immediately

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Replaced custom CLA verification with an automated CLA Assistant workflow and removed legacy CLA enforcement artifacts.

• Documentation

  • Updated contribution guide to describe the new automated CLA signing flow and removed legacy CLA badge/documentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Removes the repository's custom CLA infrastructure (issue template, signer manifest, Python verifier, and workflow) and adds a new GitHub Actions workflow using contributor-assistant/github-action@v2 to manage CLA signing and store signatures.

Changes

Cohort / File(s)	Summary
Removed CLA artifacts .github/ISSUE_TEMPLATE/cla-signature.yml, .github/cla-signers.json, .github/scripts/cla_check.py, .github/workflows/cla-check.yml, .github/CLA_BADGE.md	Deleted legacy CLA issue template, signer manifest, Python enforcement script (including email normalization, PR author aggregation, signer resolution, and comment posting), old workflow, and badge doc. Reviewers should note removal of signer data and automation logic.
Added CLA Assistant workflow .github/workflows/cla.yml	Added workflow using contributor-assistant/github-action@v2 configured with CLA.md, signatures/cla.json, allowlist, lock-after-merge, and custom messages for signing and status comments.

Sequence Diagram(s)

sequenceDiagram
  participant Contributor
  participant GitHub as GitHub (PR)
  participant Action as CLA Assistant Action
  participant Repo as Repository (signatures/cla.json)
  participant Comment as PR Comments

  Contributor->>GitHub: Open PR or post signed comment
  GitHub->>Action: Trigger workflow (pull_request_target / issue_comment)
  Action->>Repo: Read/Write signatures/cla.json
  Action->>Comment: Post/update signing status and instructions
  Action->>GitHub: Optionally lock PR after merge
  Comment->>Contributor: Inform about signing status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add Ansh Grover to CLA signers #401: Edits the CLA signer manifest and/or CLA scripts that this PR removes — likely overlapping changes.
• chore(cla): Add Piyushrathoree #571: Adds an entry to .github/cla-signers.json, which is deleted by this PR — direct conflict on signer data.
• chore(cla): add Doddi Sri Krishna Vamsi to signers #570: Modifies CLA signer data that this PR removes — related to signer management transition.

Suggested reviewers

• mikejmorgan-ai

Poem

🐰 New paths hop where old ones fell behind,
A simple prompt now signs the willing kind,
No parser fuss, no manifests to comb,
The assistant hops and finds a home,
Cheers — a tidy burrow, smooth and kind. 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides a comprehensive summary of changes but is missing the required 'Related Issue' and 'AI Disclosure' sections from the template, and lacks test confirmation.	Add the missing 'Related Issue' section with an issue number, include the 'AI Disclosure' section with the AI tool checkbox, and confirm test status before merge.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: migrating from a custom CLA system to the CLA Assistant GitHub Action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2280ea8 and 68a3413.

📒 Files selected for processing (2)

• .github/CLA_BADGE.md
• CONTRIBUTING.md

💤 Files with no reviewable changes (1)

• .github/CLA_BADGE.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test (Python 3.12)
• GitHub Check: test (3.11)
• GitHub Check: test (3.12)
• GitHub Check: test (3.10)

🔇 Additional comments (1)

CONTRIBUTING.md (1)

47-50: No issues found. The signing phrase in CONTRIBUTING.md exactly matches the custom-pr-sign-comment parameter in .github/workflows/cla.yml. Contributors will be able to sign the CLA without any problems.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Anshgrover23, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request modernizes the project's Contributor License Agreement (CLA) process by transitioning from a bespoke Python-based system to the contributor-assistant/github-action. This change aims to streamline CLA compliance, making it easier for both new and existing contributors. The new system automates the signing process for new contributors via PR comments and ensures that all current signers are recognized without requiring any additional action from them.

Highlights

• CLA System Migration: The custom CLA enforcement system has been replaced with the contributor-assistant/github-action for streamlined management.
• Existing Signers Allowlisted: All 25 previously signed contributors are automatically allowlisted, ensuring no re-signing is required from them.
• Simplified New Contributor Flow: New contributors can now sign the CLA by simply commenting a specific phrase on their Pull Request, automating the process.
• Automated Signature Storage: Signatures are now automatically stored and managed in a signatures/cla.json file.
• Significant Code Reduction: The migration resulted in a substantial reduction of custom code, removing 814 lines and adding only 50, improving maintainability.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/cla-check.yml
  • .github/workflows/cla.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a great improvement, migrating from a custom CLA verification system to the standard contributor-assistant/github-action. This simplifies the repository by removing a significant amount of custom code. While the deletions are correct, this change introduces one issue: the CONTRIBUTING.md file is now outdated and will confuse new contributors. Please see the detailed comments for suggestions.

I am having trouble creating individual review comments. Click here to see my feedback.

.github/ISSUE_TEMPLATE/cla-signature.yml (1-87)

The deletion of this issue template makes the instructions in CONTRIBUTING.md outdated. The contributing guide still directs new contributors to use this template to sign the CLA. This will lead to confusion and a broken workflow for new contributors. Please update CONTRIBUTING.md to describe the new signing process, which involves posting a specific comment on the pull request.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/cla.yml (1)

24-24: Pin to a specific commit SHA for supply chain security.

Using @v2 tracks the latest v2.x release, which is convenient but introduces supply chain risk. GitHub's security best practices recommend pinning to a full commit SHA for immutability, as tag references can be moved or compromised.

🔒 Proposed fix to pin to specific SHA

-        uses: contributor-assistant/github-action@v2
+        uses: contributor-assistant/github-action@<full-commit-sha>  # See releases page for SHA

Find the latest release SHA from the action's releases page. The current latest version is v2.6.1.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 09e725e and 2280ea8.

📒 Files selected for processing (5)

• .github/ISSUE_TEMPLATE/cla-signature.yml
• .github/cla-signers.json
• .github/scripts/cla_check.py
• .github/workflows/cla-check.yml
• .github/workflows/cla.yml

💤 Files with no reviewable changes (4)

• .github/ISSUE_TEMPLATE/cla-signature.yml
• .github/cla-signers.json
• .github/workflows/cla-check.yml
• .github/scripts/cla_check.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Test (Python 3.12)
• GitHub Check: Test (Python 3.11)
• GitHub Check: test (3.12)
• GitHub Check: test (3.10)
• GitHub Check: test (3.11)

🔇 Additional comments (3)

.github/workflows/cla.yml (3)

1-6: LGTM - Appropriate use of pull_request_target.

Using pull_request_target is the correct choice here since:

• It provides write access and secrets for forked PRs
• The CLA action doesn't check out or execute untrusted code from the PR branch

The trigger types cover all necessary events for CLA management.

---

8-12: Permissions are appropriately scoped.

Each permission serves a specific purpose:

• contents: write → commit signatures to signatures/cla.json
• pull-requests: write → post CLA prompts/confirmations
• statuses: write → update PR check status

---

25-50: Configuration is well-structured.

Good practices observed:

• lock-pullrequest-aftermerge: true prevents post-merge tampering
• Bot accounts properly excluded from CLA requirement
• Custom messages provide clear guidance for new contributors
• Allowlist includes all 25 existing signers from the old system

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud