Skip to content

Add initial code for autoclosing PRs with no CLA#34

Draft
GCHQDeveloper581 wants to merge 2 commits into
masterfrom
feature/autoclose-prs-without-cla
Draft

Add initial code for autoclosing PRs with no CLA#34
GCHQDeveloper581 wants to merge 2 commits into
masterfrom
feature/autoclose-prs-without-cla

Conversation

@GCHQDeveloper581

@GCHQDeveloper581 GCHQDeveloper581 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Description
Adds the functionality to autoclose PRs without a signed CLA after a given period.

Features:

  • automatically set/clear "awaiting CLA" label on PRs as they are updated by CLA assistant
  • Add a comment after 14 days (configurable) warning that the PR will be closed if CLA isn't signed
  • Close the PR after a further 14 days (configurable) if the CLA still isn't signed

Existing Issue
Not yet created, but I'll add one before raising the PR formally against the definitive repo.

AI disclosure
Written by Claude Opus 4.8. See prompt below.

Test Coverage
Manual testing required.

Claude Prompt

Write a github action for automatically closing PRs where the CLA has not been signed after a configurable period.

The project handles CLAs using CLA Assistant. You should work with the markers/comments that this applies to PRs.

Features:

  • set the label "awaiting cla" on any PR where the CLA has not yet been signed
  • remove the label "awaiting cla" on any PR where the CLA has now been signed
  • after interval 1 (default 14) days add a comment "this PR will be automatically closed if the CLA is not signed within interval 2 days". Only add this comment once per PR.
  • after a further interval 2 (default 14 days) close the PR with the message "This PR has been automatically closed as the CLA has not been signed. We are happy to have it reopened if the CLA is signed subsequently"

Claude commentary

This is a complete solution that works with CLA Assistant's comment markers. It's split into two parts:

  1. A workflow that reacts to CLA Assistant comment activity (to add/remove the label promptly).
  2. A scheduled workflow that periodically sweeps open PRs to post the warning comment and eventually close stale ones.

How it detects CLA status
CLA Assistant posts a comment on the PR and updates it in place. The key signals:

  • Not signed: the CLA Assistant comment contains a phrase like "Please sign our Contributor License Agreement" / "has not signed" / "we need" (varies by config), and typically the checkbox line [ ].
  • Signed: the comment updates to something like "All committers have signed the CLA" / "CLA Assistant lite bot: All contributors have signed" (varies), typically the checkbox line [x].

⚠️ Important: The exact wording depends on whether you use the hosted CLA Assistant or CLA Assistant Lite, and on your custom message configuration. The regex patterns used are configurable via env — verify them against an actual comment in your repo before relying on this in production.

Design Notes and Rationale

Requirement How it's met
Add awaiting cla when unsigned cla-label.yml adds the label when the latest CLA comment matches the "not signed" pattern. Also enforced defensively in the scheduled sweep.
Remove awaiting cla when signed Triggered by CLA Assistant editing its comment (issue_comment: edited), so removal is near-instant.
Warning after interval 1 Scheduled job checks PR age vs WARN_AFTER_DAYS.
Comment posted only once Enforced via the hidden HTML marker WARN_MARKER; the job skips if that marker already exists.
Close after interval 2 Job measures time since the warning comment's created_at against CLOSE_AFTER_DAYS, then closes with the required message.
Configurable All intervals, labels, bot logins and regexes are env variables at the top of the workflow.

Points to verify before deploying

  1. Regex patterns — Confirm NOT_SIGNED_REGEX / SIGNED_REGEX and CLA_BOT_LOGINS against a real CLA Assistant comment in your repo. This is the single most likely thing to need adjusting. The [ ] vs [x] checkbox is often the most reliable signal if your setup uses it.
  2. pull_request_target security — This trigger runs with repo write permissions in the context of the base repo. The label workflow above does not check out or execute PR code, which is the safe pattern. Do not add actions/checkout of the PR head or run build scripts in this workflow.
  3. Timing basis — The warning threshold is measured from created_at. If you'd rather measure from last activity, switch to pr.updated_at (note: any push resets it).
  4. Schedule frequency — Daily cron means timing is accurate to within ~24h. Increase frequency if tighter timing is needed. Also note GitHub may delay scheduled runs during high load.
  5. Reopening — When a user signs after closure, CLA Assistant updates its comment, but the PR stays closed by design (your message invites them to reopen). If you want auto-reopen, that's a further enhancement.
  6. Rate limits — For repos with very large numbers of open PRs, the per-PR comment pagination could be API-heavy. Consider filtering by label via the Issues search API if needed.

Testing suggestion
Use the workflow_dispatch dry run input on the closer workflow first — it logs every decision without posting comments or closing anything, so you can validate the detection and timing logic against your live PRs safely.

@GCHQDeveloper581 GCHQDeveloper581 marked this pull request as draft July 1, 2026 12:00
@GCHQDeveloper581

Copy link
Copy Markdown
Owner Author

May be better to use the actions/stale github action with only-labels: 'awaiting cla' in preference to the cla-close-stale here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant