updates to license updater, improved cla handling

Author: bashandbone

.github/actionlint.yml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Knitli Inc. <knitli@knit.li>
+# SPDX-FileContributor: Adam Poulemanos <adam@knit.li>
+#
+# SPDX-License-Identifier: MIT OR Apache-2.0
+# ! Actionlint configuration file to ignore specific warnings
+paths:
+  .github/workflows/cla.yml:
+    ignore:
+      - 'property "is_member" is not defined in object type {}'
+      - >
+        "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details
+

.github/chatmodes/analyze.chatmode.md

@@ -1,11 +1,10 @@
-<!--
-SPDX-FileCopyrightText: 2025 Knitli Inc. <knitli@knit.li>
-SPDX-FileContributor: Adam Poulemanos <adam@knit.li>
-SPDX-License-Identifier: MIT OR Apache-2.0
--->
-
 ---
+# SPDX-FileCopyrightText: 2025 Knitli Inc. <knitli@knit.li>
+# SPDX-FileContributor: Adam Poulemanos <adam@knit.li>
+# SPDX-License-Identifier: MIT OR Apache-2.0
 description: 'Code Analysis'
 tools: ["codebase", "githubRepo", "context7", "sequential-thinking", ]
 ---
+# Expert Code Analyst
+
 You're an experienced code analyst who specializes in identifying and resolving issues in codebases. Your primary focus is on improving code quality through best practices and identifying opportunities to refactor or restructure code to make it more flexible and easier to maintain. The user will ask you to research specific code, modules, or packages within the codebase. They may ask for a specific analysis or aspect of the code to focus on, or they may request a broader overview of the codebase's structure and design and recommendations for improvements. If you identify an opportunity for improving the code quality, you should provide actionable suggestions and code examples to help the user implement the improvements. Unless the user requests a different result, you should produce a report summarizing your findings with specific recommendations and references to specific code snippets by line number and filename.

.github/workflows/ci.yml

@@ -2,12 +2,14 @@
 # SPDX-FileContributor: Adam Poulemanos <adam@knit.li>
 #
 # SPDX-License-Identifier: MIT OR Apache-2.0
+# ! GitHub Action to run the CI pipeline for Rust projects
+# ! This action is triggered on pushes and pull requests to the main and staging branches.
 name: CI
 on:
   push:
-    branches: [main, develop]
+    branches: [main, staging]
   pull_request:
-    branches: [main, develop]
+    branches: [main, staging]
 env:
   CARGO_TERM_COLOR: always
 jobs:
@@ -55,6 +57,7 @@ jobs:
       - name: Run hk ci workflow
         run: >
           "$HOME/.local/bin/mise" run ci
+
   security_audit:
     name: Security Audit
     runs-on: ubuntu-latest

.github/workflows/cla.yml

@@ -2,6 +2,8 @@
 # SPDX-FileContributor: Adam Poulemanos <adam@knit.li>
 #
 # SPDX-License-Identifier: MIT OR Apache-2.0
+# ! GitHub Action to check CLA signatures for Knitli repositories
+# ! This action is triggered on issue comments and pull request events.
 name: "CLA Assistant"
 on:
   issue_comment:
@@ -14,32 +16,165 @@ permissions:
   pull-requests: write
   statuses: write
 jobs:
-  CLAAssistant:
+  set-pr-title:
+    runs-on: ubuntu-latest
+    if: >
+      github.event_name == 'pull_request_target'
+
+    steps:
+      - name: "Set PR Title"
+        env:
+          EV_TITLE: ${{ github.event.pull_request.title }}
+          EV_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "${EV_TITLE}"
+  set-issue-title:
+    runs-on: ubuntu-latest
+    if: >
+      github.event_name == 'issue_comment'
+
+    steps:
+      - name: "Set Issue Title"
+        env:
+          EV_TITLE: ${{ toJson(github.event.issue.title) }}
+          EV_BODY: ${{ toJson(github.event.comment.body) }}
+        run: |
+          echo "${EV_TITLE}"
+  check-cla:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "SetVariables"
+        run: |
+          # shellcheck disable=SC2296
+          # This script sets up environment variables based on the GitHub event context.
+          echo "Setting up variables..."
+          repo="${{ github.repository }}"
+          if [[ $repo != knitli* ]]; then
+            echo "This action is only for Knitli repositories, exiting..."
+            echo "looks like we're in a forked repository, exiting..."
+            exit 0
+          fi
+          actor="${{ github.actor }}"
+          echo "EV_ACTOR=$actor" >> "$GITHUB_ENV"
+          event="${{ github.event_name }}"
+          event="${event//_target/}"
+          event="${event//_comment/}"
+          if [[ $event == pull_request* ]]; then
+            author="${{ github.event.pull_request.user.login }}"
+            email="${{ github.event.pull_request.user.email }}"
+            {
+            echo "IS_PR=true";
+            echo "IS_ISSUE=false";
+            echo "EV_NUMBER=\"${{ github.event.pull_request.number }}\"";
+            echo "EV_AUTHOR=\"$author\"";
+            echo "EV_URL=\"${{ github.event.pull_request.html_url }}\"";
+            echo "EV_EMAIL=\"$email\"";
+            echo "IS_RECHECK=false";
+            } >> "$GITHUB_ENV"
+          else
+            author="${{ github.event.issue.user.login }}"
+            email="${{ github.event.issue.user.email }}"
+            {
+            echo "IS_PR=false";
+            echo "IS_ISSUE=true";
+            echo "EV_NUMBER=\"${{ github.event.issue.number }}\"";
+            echo "EV_AUTHOR=\"$author\"";
+            echo "EV_URL=\"${{ github.event.issue.html_url }}\"";
+            echo "EV_EMAIL=\"$email\"";
+            } >> "$GITHUB_ENV"
+            if [[ "$EV_BODY" == 'recheck' || "$EV_BODY" == *'I read the contributors license agreement and I agree to it.'* ]]; then
+              echo "IS_RECHECK=true" >> "$GITHUB_ENV"
+            else
+              echo "IS_RECHECK=false" >> "$GITHUB_ENV"
+            fi
+          fi
+          # if it's a rerun of the action, then the author is the actor
+          if [[ -z $author ]] || [[ $author != "$actor" ]]; then
+            author="$actor"
+            if [[ -z $email ]]; then
+              email="${author}@users.noreply.github.com"
+            fi
+            echo "EV_AUTHOR=$author" >> "$GITHUB_ENV"
+            echo "EV_EMAIL=$email" >> "$GITHUB_ENV"
+          fi
+          response=$(curl -s -o /dev/null -w "%{http_code}" \
+            -H "Authorization: Bearer \"${{ secrets.GITHUB_TOKEN }}\"" \
+            "https://api.github.com/orgs/knitli/members/$author")
+          if [ "$response" == "204" ]; then
+            echo "is_member=true" >> "$GITHUB_OUTPUT"
+            echo "User $author is a member of Knitli."
+            echo "MEMBER=true" >> "$GITHUB_ENV"
+          else
+            if [[ $email == *@knit.li || $email == *@knitli.com || $author == bashandbone ]]; then
+              echo "MEMBER=true" >> "$GITHUB_ENV"
+              echo "User $author has a Knitli email or is its founder. Provided email: $email"
+              echo "is_member=true" >> "$GITHUB_OUTPUT"
+            else
+              echo "MEMBER=false" >> "$GITHUB_ENV"
+              echo "is_member=false" >> "$GITHUB_OUTPUT"
+            fi
+          fi
+  cla-assistant:
+    needs: check-cla
+    if: >
+      (needs.check-cla.outputs.is_member && needs.check-cla.outputs.is_member == 'false' && needs.check-cla.outputs.is_member != 'true') || needs.check-cla.outputs.is_member == ''
+
     runs-on: ubuntu-latest
     steps:
+      - name: Debug
+        run: |
+          if [[ $DEBUG_ACTIONS == 'true' ]]; then
+            printenv
+          fi
       - name: "CLA Assistant"
         if: >
-          (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the contributors license agreement and I agree to it.') || github.event_name == 'pull_request_target'
+          (env.IS_RECHECK && env.IS_PR) && (env.IS_RECHECK == 'true' || env.IS_PR == 'true')
 
         uses: contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # the below token should have repo scope and must be manually added by you in the repository's secret
-          # This token is required only if you have configured to store the signatures in a remote repository/organization
-          # PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
         with:
           path-to-signatures: 'cla.json'
-          path-to-document: 'https://github.com/knitli/thread/blob/main/CONTRIBUTORS_LICENSE_AGREEMENT.md' # e.g. a CLA or a DCO document
-          # branch should not be protected
-          branch: 'main'
-          allowlist: bashandbone,codegen-sh[bot],dependabot[bot],github-actions[bot],actions-user,changeset-bot
-          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
-          #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository)
-          #remote-repository-name: enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
+          path-to-document: 'https://github.com/knitli/thread/blob/main/CONTRIBUTORS_LICENSE_AGREEMENT.md'
+          branch: 'staging'
+          allowlist: >
+            bashandbone,codegen-sh[bot],dependabot[bot],github-actions[bot],actions-user,changeset-bot
+
           create-file-commit-message: 'Adding file for tracking CLA signatures'
-          signed-commit-message: '$contributorName signed 🖊️ the Thread 🧵 CLA in $owner/$repo#$pullRequestNo'
-          custom-notsigned-prcomment: '✋ Hey $contributorName, 🛑 thanks for your contribution! Before we can accept it, **we need you to sign our contributors license agreement (CLA)**. 🖊️'
-          custom-pr-sign-comment: 'I have read the [Thread contributors license agreement](https://github.com/knitli/thread/blob/main/CONTRIBUTORS_LICENSE_AGREEMENT.md) and I agree to it.'
-          custom-allsigned-prcomment: '🚀 GOOD TO GO. Everyone has agreed to the CLA. 👍'
+          signed-commit-message: >
+            $env.EV_AUTHOR signed 🖊️ the Thread 🧵 CLA in [$env.GITHUB_REPOSITORY # $env.EV_NUMBER]($env.EV_URL)
+
+          custom-notsigned-prcomment: |
+            ✋🛑 Hey $env.EV_AUTHOR,
+
+            ## Thanks for your contribution to Thread!
+
+            ### You need to agree to the CLA first... 🖊️
+
+            Before we can accept your (awesome) contribution, **we need you to agree to our contributors license agreement (CLA)**. 🖊️
+
+            ### To agree to the CLA, please comment:
+            > I read the contributors license agreement and I agree to it.
+            Those words are important[^1], so please don't change them. 😉
+
+            [^1]: Our bot needs those *exact* words to recognize that you agree to the CLA. If you want to add something else, please do so after those words. 😉
+          custom-pr-sign-comment: |
+            $env.EV_AUTHOR, agrees to the Thread CLA.
+
+            $env.EV_AUTHOR acknowledges they read and agree to the [Thread contributors license agreement](https://github.com/knitli/thread/blob/main/CONTRIBUTORS_LICENSE_AGREEMENT.md).
+          custom-allsigned-prcomment: |
+            ## 🚀 GOOD TO GO. Everyone has agreed to the CLA. 👍
+
+            ### Thanks for your contribution to Thread! 🧵
+            Your contribution is now ready to be merged[^1]. 🎉
+
+            ### Maintainers: Ship this PR! 📦🚀
+
+            [^1]: If it passes the other CI checks, of course. 😉 I'm just here for the legal stuff.
+          # UNUSED OPTIONS
           #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
           #use-dco-flag: true - If you are using DCO instead of CLA
+          #TODO: move the signatures to a remote repository
+          #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository)
+          #remote-repository-name: enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
+          # PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

hk.pkl

@@ -36,7 +36,7 @@ local linters = new Mapping<String, Step> {
         glob = List("*README", "*.{login,astro,bash,bash_logout,bashrc,browserlistrc,conf,config,csh,css,cts,fish,gitattributes,gitmodules,html,htmx,ini,j2,jinja,jinja2,json,json5,jsonc,jsonl,ksh,md,mdown,mdtext,mdtxt,mdwn,mdx,mk,mkd,mts,nix,nu,pkl,profile,py,quokka,rs,sass,scss,sh,sh,shellcheckrc,sql,sqlite,stylelintrc,svelte,tcsh,toml,ts,tsx,txt,yaml,yml,zlogin,zlogout,zprofile,zsh,zshenv,zshrc}", "*Dockerfile*", "*Makefile*", "*makefile*", "CHANGELOG*", "CODE_OF_CONDUCT*", "CONTRIBUTING*", "HACKING*", "README*", "SECURITY*", "SHARING")
         batch = true
         check = "reuse lint-file {{ files }}"
-        fix = "./scripts/update-licenses.py --files {{ files }}"
+        fix = "./scripts/update-licenses.py add {{ files }}"
     }