From fac59540ee19b6ff07e367a5cb946193d913099d Mon Sep 17 00:00:00 2001
From: Iain McGinniss <309153+iainmcgin@users.noreply.github.com>
Date: Thu, 30 Apr 2026 18:23:48 +0000
Subject: [PATCH] ci: bump cla-github-action to 1ecf0d2f (impersonation guard,
 co-author trailers)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps the CLA assistant action from `eeb7f3f` (v2.7.1) to `1ecf0d2f`.

What's new in the action:

- Impersonation guard (require-opener-as-author input, default true):
  fails the check if the PR opener is not recorded as an author or
  Co-authored-by of any commit in the PR. Runs before the allowlist
  filter.
- PR opener and Co-authored-by trailers join the committer set —
  previously only commit.author was checked. Noreply-form trailer
  emails are parsed directly to login/id.
- Actionable unlinked-email guidance: when a commit author's email
  is not linked to any GitHub user, the bot posts a warning block
  listing each unlinked email with concrete remediation.
- Dead-404-path bugfix (signatures-file bootstrap now works first-time).

Buffa adopted the new pin in anthropics/buffa#72 on 2026-04-28.

Note: pull_request_target runs the workflow from the base branch, so
this PR's own CLA check still uses the old eeb7f3f pin. The new action
is first exercised on the next PR opened/synced after merge.

Fixes #72
---
 .github/workflows/cla.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index 51577a8..285f726 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -19,10 +19,11 @@ jobs:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         # Upstream contributor-assistant/github-action was archived 2026-03-23
-        # still on Node 20 (deprecated 2026-06-02). This fork bumps the
-        # runtime to Node 24 and fixes a false-failure where the check
-        # would go red after logging "All contributors have signed".
-        uses: iainmcgin/cla-github-action@eeb7f3ffa305b600c6e873578b9ea78ca11a5f3e  # v2.7.1
+        # still on Node 20 (deprecated 2026-06-02). This fork bumps to Node 24
+        # and adds: an impersonation guard (PR opener must be an author or
+        # co-author of at least one commit), Co-authored-by trailer support,
+        # and actionable unlinked-email guidance.
+        uses: iainmcgin/cla-github-action@1ecf0d2f19b665777f5b0cda149104238cc6c493
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: