feat(legal): add CLA with automated GitHub Actions enforcement

Introduce Individual Contributor License Agreement (ICLA) to enable dual licensing (LGPL-V3 open source + future closed-source releases). - CLA.md: Apache ICLA-style license grant with moral rights waiver, patent license, electronic signature clause, and assignability - .github/workflows/cla.yml: CLA Assistant Lite bot that auto-checks PRs, posts signing prompts, and stores signatures on a separate `cla-signatures` branch to keep main branch history clean
2026-04-21 11:14:40 +08:00
parent ffc9c38722
commit 960b2bb8e6
2 changed files with 132 additions and 0 deletions
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -0,0 +1,59 @@
+name: "CLA Assistant"
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, reopened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  cla-check:
+    if: |
+      github.event_name == 'issue_comment' ||
+      (github.event_name == 'pull_request_target' && github.event.action != 'closed')
+    runs-on: ubuntu-latest
+    steps:
+      - name: "CLA Assistant"
+        if: |
+          (github.event.comment.body == 'recheck' ||
+           github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
+          github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          path-to-signatures: "cla.json"
+          path-to-document: "https://github.com/Wei-Shaw/sub2api/blob/main/CLA.md"
+          branch: "cla-signatures"
+          allowlist: "dependabot[bot],renovate[bot],bot*"
+          lock-pullrequest-aftermerge: false
+          custom-notsigned-prcomment: |
+            Thank you for your contribution! Before we can merge this PR, we need $you to sign our [Contributor License Agreement (CLA)](https://github.com/Wei-Shaw/sub2api/blob/main/CLA.md).
+
+            **To sign**, please reply with the following comment:
+
+            > I have read the CLA Document and I hereby sign the CLA
+
+            You only need to sign once — it will be valid for all your future contributions to this project.
+          custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
+          custom-allsigned-prcomment: "All contributors have signed the CLA. ✅"
+
+  cla-lock:
+    if: github.event_name == 'pull_request_target' && github.event.action == 'closed' && github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Lock merged PR"
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          path-to-signatures: "cla.json"
+          path-to-document: "https://github.com/Wei-Shaw/sub2api/blob/main/CLA.md"
+          branch: "cla-signatures"
+          lock-pullrequest-aftermerge: true