From c06a3f060bd0ce7673d439e9e2e9feadd2f0ef7e Mon Sep 17 00:00:00 2001 From: Alexis Rolland Date: Mon, 22 Jun 2026 16:05:41 +0800 Subject: [PATCH 1/4] ci: add CLA Assistant workflow --- .github/workflows/cla.yml | 62 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/cla.yml diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml new file mode 100644 index 000000000..330c1e189 --- /dev/null +++ b/.github/workflows/cla.yml @@ -0,0 +1,62 @@ +name: CLA Assistant + +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened, synchronize, closed] + +permissions: + actions: write + contents: read # 'read' is enough because signatures live in a REMOTE repo + pull-requests: write + statuses: write + +jobs: + cla-assistant: + runs-on: ubuntu-latest + steps: + - name: CLA Assistant + # Run on PR events, on "recheck" comment, or when someone posts the exact signing phrase. + # IMPORTANT: this phrase must match `custom-pr-sign-comment` below. + if: > + github.event_name == 'pull_request_target' || + github.event.comment.body == 'recheck' || + github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + uses: contributor-assistant/github-action@v2.6.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # PAT required to write to the centralized signatures repo. + PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + with: + # Where the CLA document lives (shown to contributors) + path-to-document: https://github.com/Comfy-Org/comfy-cla/blob/main/comfyui_icla.md + + # Centralized signature storage + remote-organization-name: comfy-org + remote-repository-name: comfy-cla + path-to-signatures: signatures/cla.json + branch: main + + # Allowlist bots so they don't need to sign (optional, comma-separated). + # *[bot] is a catch-all for any GitHub App bot account. + allowlist: ampagent,claude,coderabbitai[bot],comfy-pr-bot,dependabot[bot],github-actions[bot],copilot-swe-agent[bot],devin-ai-integration[bot],*[bot] + + # Custom PR comment messages + custom-notsigned-prcomment: | + 🎉 Thank you for your contribution, we really appreciate it! 🎉 + + Like many open source projects, we require contributors to sign our [Contributor License Agreement (CLA)](https://github.com/Comfy-Org/comfy-cla/blob/main/comfyui_icla.md). A CLA makes the ownership of contributions explicit, so contributors and the project share a clear understanding of how the code can be used. By signing, you: + + - Confirm that you own your contribution. + - Keep the right to reuse your own code. + - Grant us a copyright license to include and share it within our projects. + + CLAs are standard practice across major open source projects including those under the Apache Software Foundation and the Linux Foundation. Ours is based on the Apache Software Foundation's CLA. Most importantly, it would enable us to relicense the project under a more permissive license in the future, giving the project and its community greater flexibility. + + ✍ **To sign, please post a new comment on this PR with exactly the following text:** ✍ + + custom-pr-sign-comment: I have read and agree to the Contributor License Agreement + + custom-allsigned-prcomment: | + ✅ All contributors have signed the CLA. Thank you! This PR is ready to be merged. From 7c18d53e2cbd22e15fa95f6f0acd159af6a5ebff Mon Sep 17 00:00:00 2001 From: Alexis Rolland Date: Mon, 29 Jun 2026 15:24:17 +0800 Subject: [PATCH 2/4] Refactor CLA workflow configuration Updated CLA workflow to modify permissions and action version. --- .github/workflows/cla.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 330c1e189..6d38de4ed 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,10 +5,11 @@ on: types: [created] pull_request_target: types: [opened, synchronize, closed] + merge_group: permissions: actions: write - contents: read # 'read' is enough because signatures live in a REMOTE repo + contents: read # 'read' is enough because signatures live in a REMOTE repo pull-requests: write statuses: write @@ -23,7 +24,7 @@ jobs: github.event_name == 'pull_request_target' || github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read and agree to the Contributor License Agreement' - uses: contributor-assistant/github-action@v2.6.1 + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # PAT required to write to the centralized signatures repo. @@ -40,7 +41,7 @@ jobs: # Allowlist bots so they don't need to sign (optional, comma-separated). # *[bot] is a catch-all for any GitHub App bot account. - allowlist: ampagent,claude,coderabbitai[bot],comfy-pr-bot,dependabot[bot],github-actions[bot],copilot-swe-agent[bot],devin-ai-integration[bot],*[bot] + allowlist: action@github.com,actions-user,ampagent,claude,comfy-pr-bot,GitHub Action,github-actions,Glary Bot,Glary-Bot,*[bot] # Custom PR comment messages custom-notsigned-prcomment: | From 33d295bfad578729efe87c16493a4535fb9661b8 Mon Sep 17 00:00:00 2001 From: Alexis Rolland Date: Thu, 2 Jul 2026 12:58:51 +0800 Subject: [PATCH 3/4] Update CLA workflow to build author-only allowlist --- .github/workflows/cla.yml | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 6d38de4ed..5fcbe15ec 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -17,6 +17,30 @@ jobs: cla-assistant: runs-on: ubuntu-latest steps: + # The CLA action normally requires every commit author in a PR to sign. + # We only want the PR author to sign, so we allowlist all other committers + # by computing them from the PR's commits and excluding the PR author. + - name: Build author-only allowlist + id: allowlist + if: > + github.event_name == 'pull_request_target' || + github.event.comment.body == 'recheck' || + github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} + PR_AUTHOR: ${{ github.event.pull_request.user.login || github.event.issue.user.login }} + BASE_ALLOWLIST: action@github.com,actions-user,ampagent,claude,comfy-pr-bot,GitHub Action,github-actions,github-actions[bot],Glary Bot,Glary-Bot,*[bot] + run: | + others=$(gh api "repos/${{ github.repository }}/pulls/${PR_NUMBER}/commits" --paginate \ + --jq '.[] | (.author.login // empty), (.committer.login // empty)' \ + | sort -u | grep -vix "${PR_AUTHOR}" | paste -sd, -) + if [ -n "$others" ]; then + echo "allowlist=${BASE_ALLOWLIST},${others}" >> "$GITHUB_OUTPUT" + else + echo "allowlist=${BASE_ALLOWLIST}" >> "$GITHUB_OUTPUT" + fi + - name: CLA Assistant # Run on PR events, on "recheck" comment, or when someone posts the exact signing phrase. # IMPORTANT: this phrase must match `custom-pr-sign-comment` below. @@ -39,9 +63,10 @@ jobs: path-to-signatures: signatures/cla.json branch: main - # Allowlist bots so they don't need to sign (optional, comma-separated). + # Only the PR author must sign: bots plus every non-author committer + # are allowlisted via the "Build author-only allowlist" step above. # *[bot] is a catch-all for any GitHub App bot account. - allowlist: action@github.com,actions-user,ampagent,claude,comfy-pr-bot,GitHub Action,github-actions,Glary Bot,Glary-Bot,*[bot] + allowlist: ${{ steps.allowlist.outputs.allowlist }} # Custom PR comment messages custom-notsigned-prcomment: | From 03dce76c0ecdad0a984921533b84530e326942f7 Mon Sep 17 00:00:00 2001 From: Alexis Rolland Date: Thu, 2 Jul 2026 13:18:18 +0800 Subject: [PATCH 4/4] Refactor CLA workflow to include issue comments --- .github/workflows/cla.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 5fcbe15ec..b75397e50 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,7 +5,6 @@ on: types: [created] pull_request_target: types: [opened, synchronize, closed] - merge_group: permissions: actions: write @@ -24,8 +23,10 @@ jobs: id: allowlist if: > github.event_name == 'pull_request_target' || - github.event.comment.body == 'recheck' || - github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + (github.event_name == 'issue_comment' && github.event.issue.pull_request && ( + github.event.comment.body == 'recheck' || + github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + )) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} @@ -46,8 +47,10 @@ jobs: # IMPORTANT: this phrase must match `custom-pr-sign-comment` below. if: > github.event_name == 'pull_request_target' || - github.event.comment.body == 'recheck' || - github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + (github.event_name == 'issue_comment' && github.event.issue.pull_request && ( + github.event.comment.body == 'recheck' || + github.event.comment.body == 'I have read and agree to the Contributor License Agreement' + )) uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}