[BUG] How to use this action on a protected branch?

[sumanth-lingappa]

Describe the bug
I have setup a CLA for our repo.
Earlier, the CLA used to work as expected. Refer HERE

Now, it started giving this comment even for a cla-signed user!

To Reproduce
My CLA workflow is HERE

---
name: CLA Assistant
on:
  # issue_comment:
  #   types: [created] # commented as we do not need CLA for raising issues
  pull_request_target:
    types: [opened, closed, synchronize]
# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
permissions:
  actions: write
  contents: write
  pull-requests: write
  statuses: write
jobs:
  CLAAssistant:
    runs-on: ubuntu-latest
    steps:
      - name: CLA Assistant
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby
          sign the CLA') || github.event_name == 'pull_request_target'
        uses: contributor-assistant/github-action@v2.3.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # the below token should have repo scope and must be manually added by you in the repository's secret
          # This token is required only if you have configured to store the signatures in a remote repository/organization
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: "signatures/version1/cla.json"
          path-to-document: https://gist.githubusercontent.com/konstantika/217986f1a636d42bf4fcf3680a11a5b8/raw/808a16c96ac10ac4ce703525faf586c86f574c02/csg_cla_ansible.txt
          # branch should not be protected
          branch: "main"
          allowlist: bot*
          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
          #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository)
          #remote-repository-name: enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
          #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
          #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
          #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'
          #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA'
          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
          #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
          #use-dco-flag: true - If you are using DCO instead of CLA

I have also observed that, there are two workflows run for CLA

• license/cla -- which gets successful
• CLA Assistant / CLAAssistant (pull_request_target) -- which fails

Expected behavior
The CLA should work as before

Screenshots

[sumanth-lingappa]

looks like the "main" branch should NOT be protected.

However, I need to protect our main branch. Is there a way I can use this CLA action with protected branch?

[sumanth-lingappa]

@ibakshay or anyone. Can I please get some help here?

[ibakshay]

Hi @sumanth-lingappa,

I apologize for the delayed response.
The secrets.GITHUB_ACTION currently lacks sufficient permissions to commit to a protected branch. As a workaround, if you are an admin of the repository, you could store your GitHub Personal Access Token (with repository write permissions) in the repository's secrets. Then, reference it as secrets.PERSONAL_ACCESS_TOKEN in the cla.yaml workflow file.

[sumanth-lingappa]

Thank you for your response @ibakshay.
The documentation says, we need to use secrets.PERSONAL_ACCESS_TOKEN to save signatures in the remote repositories.
With your above comment, I can infer that, this secret can also be used to store the signature in the protected branch.

I have one question, which I have asked in #151, Why do we need to store the signatures in the repo? We get these details anyway in our cla-assistant.io account?

I am new to the CLA world, and I would like to follow the best practices for our CLA.

[ibakshay]

Thank you for your response @ibakshay. The documentation says, we need to use secrets.PERSONAL_ACCESS_TOKEN to save signatures in the remote repositories. With your above comment, I can infer that, this secret can also be used to store the signature in the protected branch.

I have one question, which I have asked in #151, Why do we need to store the signatures in the repo? We get these details anyway in our cla-assistant.io account?

I am new to the CLA world, and I would like to follow the best practices for our CLA.

That is a good point. I will update the documentation or feel free to create a PR updating the documentation :).

https://cla-assistant.io/ is totally a different tool and they store the signatures in a central database which is managed by the project maintainers. This tool is alternative to https://cla-assistant.io/ where the signatures are stored directly in the same repository or even in a central private repository and you as a Repo Admin gets to manage all the contributor's signatures.

[sumanth-lingappa]

oh, I had thought this action is for the cla-assistant.io itself.

Please config this:
If I am using cla-assistant.io tool, then I don't need to use this action at all?

[ibakshay]

oh, I had thought this action is for the cla-assistant.io itself.

Please config this: If I am using cla-assistant.io tool, then I don't need to use this action at all?

yes, that is correct. you do not need this action for cla-assistant.io tool.

[sumanth-lingappa]

Thank you @ibakshay for the clarification.
I will close this issue.