ci: add CLA Assistant workflow

[alexisrolland]

Adds the CLA Assistant GitHub Actions workflow at .github/workflows/cla.yml, copied from https://github.com/Comfy-Org/comfy-cla/blob/main/.github/workflows/cla.yml

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file .github/workflows/cla.yml is added. It uses the contributor-assistant/github-action@v2.6.1 action to enforce CLA signing on incoming pull requests. The workflow is triggered by pull_request_target events (opened, synchronize, closed) and issue_comment creation events, running conditionally when the event is PR-related or when a comment contains a recheck keyword or the designated signing phrase. It authenticates via GITHUB_TOKEN and a PERSONAL_ACCESS_TOKEN, stores signatures in a centralized remote repository, exempts a list of bot accounts, and defines custom PR comment templates for unsigned and fully-signed states.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add CLA Assistant workflow' clearly and concisely summarizes the main change—adding a new GitHub Actions workflow for CLA management.
Description check	✅ Passed	The description accurately relates to the changeset, explaining that the PR adds a CLA Assistant GitHub Actions workflow copied from a reference repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cla.yml:
- Line 26: The `contributor-assistant/github-action` action in the cla.yml
workflow is pinned to version tag `v2.6.1` instead of a commit SHA, which is a
security risk since tags can be force-pushed. Additionally, this repository is
archived and no longer receives security updates. Replace the current uses
statement `contributor-assistant/github-action@v2.6.1` with the pinned commit
SHA
`contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08`
to mitigate the risk. Consider evaluating whether to migrate to an actively
maintained alternative like `cla-assistant/github-action`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9268a813-a1ec-42c7-94b9-b516dd3acbc3

📥 Commits

Reviewing files that changed from the base of the PR and between b0f9e32 and c06a3f0.

📒 Files selected for processing (1)

• .github/workflows/cla.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the repository status and get the SHA for v2.6.1

# Check if the repo is archived
gh repo view contributor-assistant/github-action --json isArchived,url

# Get the commit SHA for the v2.6.1 tag
gh api repos/contributor-assistant/github-action/git/refs/tags/v2.6.1 --jq '.object.sha'

Repository: Comfy-Org/ComfyUI

Length of output: 185

---

Pin action to commit SHA; repository is archived.

The contributor-assistant/github-action repository is archived, so it will no longer receive security updates. Additionally, the action is pinned to the version tag v2.6.1 instead of a commit SHA; tags can be force-pushed, potentially allowing a compromised update to execute.

To mitigate the risk, pin to the commit SHA for this version:

uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08

If this action is no longer actively maintained, consider migrating to cla-assistant/github-action or another actively maintained alternative.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 26-26: action or reusable workflow from archived repository (archived-uses): repository is archived

(archived-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cla.yml at line 26, The
`contributor-assistant/github-action` action in the cla.yml workflow is pinned
to version tag `v2.6.1` instead of a commit SHA, which is a security risk since
tags can be force-pushed. Additionally, this repository is archived and no
longer receives security updates. Replace the current uses statement
`contributor-assistant/github-action@v2.6.1` with the pinned commit SHA
`contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08`
to mitigate the risk. Consider evaluating whether to migrate to an actively
maintained alternative like `cla-assistant/github-action`.

Source: Linters/SAST tools