CLA Assistant workflow (OpenOSINT/OpenOSINT)
The CLA Assistant workflow from OpenOSINT/OpenOSINT, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CLA Assistant workflow from the OpenOSINT/OpenOSINT repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# ─────────────────────────────────────────────────────────────────────────────
# CLA Assistant - enforces signing of CLA.md before PRs can be merged.
#
# REQUIRED SECRET (add once in GitHub → Settings → Secrets and variables →
# Actions → New repository secret):
#
# Name: PERSONAL_ACCESS_TOKEN
# Value: A GitHub Personal Access Token (classic)
# Required scopes: repo (tick the top-level "repo" checkbox)
# This allows the action to push the updated signatures.json back to
# the repository after each contributor signs.
#
# To create the PAT:
# GitHub → Settings → Developer settings → Personal access tokens →
# Tokens (classic) → Generate new token (classic)
# Check "repo" scope → copy the token → paste as the secret value above.
#
# ─────────────────────────────────────────────────────────────────────────────
name: CLA Assistant
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, closed, synchronize]
permissions:
actions: write
contents: write
pull-requests: write
statuses: write
jobs:
cla-assistant:
runs-on: ubuntu-latest
if: |
(github.event.comment.body == 'recheck' ||
github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
github.event_name == 'pull_request_target'
steps:
- name: CLA Assistant
uses: cla-assistant/github-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
with:
path-to-signatures: '.github/cla/signatures.json'
path-to-document: 'https://github.com/${{ github.repository }}/blob/main/CLA.md'
branch: 'main'
allowlist: 'bot*'
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
# ───────────────────────────────────────────────────────────────────────────── # CLA Assistant - enforces signing of CLA.md before PRs can be merged. # # REQUIRED SECRET (add once in GitHub → Settings → Secrets and variables → # Actions → New repository secret): # # Name: PERSONAL_ACCESS_TOKEN # Value: A GitHub Personal Access Token (classic) # Required scopes: repo (tick the top-level "repo" checkbox) # This allows the action to push the updated signatures.json back to # the repository after each contributor signs. # # To create the PAT: # GitHub → Settings → Developer settings → Personal access tokens → # Tokens (classic) → Generate new token (classic) # Check "repo" scope → copy the token → paste as the secret value above. # # ───────────────────────────────────────────────────────────────────────────── name: CLA Assistant on: issue_comment: types: [created] pull_request_target: types: [opened, closed, synchronize] permissions: actions: write contents: write pull-requests: write statuses: write jobs: cla-assistant: timeout-minutes: 30 runs-on: latchkey-small if: | (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' steps: - name: CLA Assistant uses: cla-assistant/github-action@v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} with: path-to-signatures: '.github/cla/signatures.json' path-to-document: 'https://github.com/${{ github.repository }}/blob/main/CLA.md' branch: 'main' allowlist: 'bot*'
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.