Skip to content
Latchkey

CLA Assistant workflow (OpenOSINT/OpenOSINT)

The CLA Assistant workflow from OpenOSINT/OpenOSINT, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: OpenOSINT/OpenOSINT.github/workflows/cla.ymlLicense MITView source

What it does

This is the CLA Assistant workflow from the OpenOSINT/OpenOSINT repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# ─────────────────────────────────────────────────────────────────────────────
# CLA Assistant - enforces signing of CLA.md before PRs can be merged.
#
# REQUIRED SECRET (add once in GitHub → Settings → Secrets and variables →
# Actions → New repository secret):
#
#   Name:  PERSONAL_ACCESS_TOKEN
#   Value: A GitHub Personal Access Token (classic)
#          Required scopes: repo  (tick the top-level "repo" checkbox)
#          This allows the action to push the updated signatures.json back to
#          the repository after each contributor signs.
#
# To create the PAT:
#   GitHub → Settings → Developer settings → Personal access tokens →
#   Tokens (classic) → Generate new token (classic)
#   Check "repo" scope → copy the token → paste as the secret value above.
#
# ─────────────────────────────────────────────────────────────────────────────
name: CLA Assistant

on:
  issue_comment:
    types: [created]
  pull_request_target:
    types: [opened, closed, synchronize]

permissions:
  actions: write
  contents: write
  pull-requests: write
  statuses: write

jobs:
  cla-assistant:
    runs-on: ubuntu-latest
    if: |
      (github.event.comment.body == 'recheck' ||
       github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
      github.event_name == 'pull_request_target'
    steps:
      - name: CLA Assistant
        uses: cla-assistant/github-action@v2.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: '.github/cla/signatures.json'
          path-to-document: 'https://github.com/${{ github.repository }}/blob/main/CLA.md'
          branch: 'main'
          allowlist: 'bot*'

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# ─────────────────────────────────────────────────────────────────────────────
# CLA Assistant - enforces signing of CLA.md before PRs can be merged.
#
# REQUIRED SECRET (add once in GitHub → Settings → Secrets and variables →
# Actions → New repository secret):
#
#   Name:  PERSONAL_ACCESS_TOKEN
#   Value: A GitHub Personal Access Token (classic)
#          Required scopes: repo  (tick the top-level "repo" checkbox)
#          This allows the action to push the updated signatures.json back to
#          the repository after each contributor signs.
#
# To create the PAT:
#   GitHub → Settings → Developer settings → Personal access tokens →
#   Tokens (classic) → Generate new token (classic)
#   Check "repo" scope → copy the token → paste as the secret value above.
#
# ─────────────────────────────────────────────────────────────────────────────
name: CLA Assistant
 
on:
  issue_comment:
    types: [created]
  pull_request_target:
    types: [opened, closed, synchronize]
 
permissions:
  actions: write
  contents: write
  pull-requests: write
  statuses: write
 
jobs:
  cla-assistant:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: |
      (github.event.comment.body == 'recheck' ||
       github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') ||
      github.event_name == 'pull_request_target'
    steps:
      - name: CLA Assistant
        uses: cla-assistant/github-action@v2.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: '.github/cla/signatures.json'
          path-to-document: 'https://github.com/${{ github.repository }}/blob/main/CLA.md'
          branch: 'main'
          allowlist: 'bot*'
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.