The CLA assistant action pinned in .github/workflows/cla.yaml is still on iainmcgin/cla-github-action@eeb7f3f (v2.7.1). The fork has since picked up three behavior changes that we want here:
- Impersonation guard (
require-opener-as-author, default true) — fails the check if the PR opener is not recorded as an author or Co-authored-by of any commit in the PR. Guards against an attacker opening a PR whose commits are attributed to a trusted identity. Runs before the allowlist filter.
- PR opener and
Co-authored-by: trailers join the committer set — previously only commit.author was checked. The PR submitter and any co-author trailers must now also sign (or be allowlisted). Noreply-form trailer emails (<id>+<login>@users.noreply.github.com) are parsed directly to login/id.
- Actionable unlinked-email guidance — when a commit author's email is not linked to any GitHub user, the bot posts a
> [!WARNING] block listing each unlinked email with concrete remediation (link at github.com/settings/emails, or rewrite commands).
Plus a dead-404-path bugfix in the signatures-file bootstrap.
Buffa adopted the new pin in anthropics/buffa#72 on 2026-04-28; this issue tracks the same upgrade for connect-rust.
Operational impact
- Author-rewrite for unlinked-email contributors — still works: contributor is the PR opener and appears via the
Co-authored-by: trailer, so no opener mismatch. They are now correctly required to sign.
- Signed-squash for unsigned fork commits — the squash commit message must include
Co-authored-by: <login> <id+login@users.noreply.github.com> for the PR opener, or the impersonation guard will fail the check.
Note
pull_request_target runs the workflow from the base branch, so the upgrade PR's own CLA check still uses the old pin. The new action is first exercised on the next PR opened/synced after merge.
The CLA assistant action pinned in
.github/workflows/cla.yamlis still oniainmcgin/cla-github-action@eeb7f3f(v2.7.1). The fork has since picked up three behavior changes that we want here:require-opener-as-author, defaulttrue) — fails the check if the PR opener is not recorded as an author orCo-authored-byof any commit in the PR. Guards against an attacker opening a PR whose commits are attributed to a trusted identity. Runs before the allowlist filter.Co-authored-by:trailers join the committer set — previously onlycommit.authorwas checked. The PR submitter and any co-author trailers must now also sign (or be allowlisted). Noreply-form trailer emails (<id>+<login>@users.noreply.github.com) are parsed directly to login/id.> [!WARNING]block listing each unlinked email with concrete remediation (link at github.com/settings/emails, or rewrite commands).Plus a dead-404-path bugfix in the signatures-file bootstrap.
Buffa adopted the new pin in anthropics/buffa#72 on 2026-04-28; this issue tracks the same upgrade for connect-rust.
Operational impact
Co-authored-by:trailer, so no opener mismatch. They are now correctly required to sign.Co-authored-by: <login> <id+login@users.noreply.github.com>for the PR opener, or the impersonation guard will fail the check.Note
pull_request_targetruns the workflow from the base branch, so the upgrade PR's own CLA check still uses the old pin. The new action is first exercised on the next PR opened/synced after merge.