This repository stores contributors' signatures of our CLA.
When a contributor opens a pull request in one of our projects, a GitHub Action (contributor-assistant/github-action) automatically checks whether everyone who authored commits in that PR has signed our Contributor License Agreement. If anyone hasn't, the bot asks them to sign by replying with a short, fixed phrase.
Once a contributor signs, their identity is recorded in signatures/cla.json in this central repository, the pull request's status check turns green, and they won't be asked again for future contributions. Known bot accounts are allow-listed so they never need to sign.
This keeps all signatures in one place across every project, with no server or database to maintain — everything runs through GitHub Actions.
To enable the CLA check on a new repository:
-
Copy the workflow file
.github/workflows/cla.ymlfrom this repository into the same path in the target repository. -
Add a secret in the target repository named
PERSONAL_ACCESS_TOKENcontaining the token of the service accountcomfy-legal:Settings>Secrets and variables>New repository secret. The token is used by the GitHub action workflow to record signatures here. -
Add a branch protection rule on the target repository to prevent merging without signing the CLA:
Settings>Code and automation>Branches>Add a classic branch protection rule
- Type the branch name (ex:
masterormain) - Select Require status checks to pass before merging
- Select
cla-assistant
Once the workflow and secret are in place, the CLA check runs automatically on every new pull request.