Merge pull request #4730 from linuxfoundation/unicron-update-skiping-bots-cla-documentation

lukaszgryglicki · web-flow · commit e4a0d0840f2b · 2025-07-31T17:40:52.000+02:00
Clarify what login is used for vs username, account for GitHub bots (like Copilot) having no login but only email
diff --git a/WHITELISTING_BOTS.md b/WHITELISTING_BOTS.md
@@ -6,33 +6,35 @@ This can be done on the GitHub organization level by setting the `skip_cla` prop
 
 Replace `{stage}` with either `dev` or `prod`.
 
-This property is a Map attribute that contains mapping from repository pattern to bot username (GitHub login), email and name pattern.
+This property is a Map attribute that contains mapping from repository pattern to bot GitHub login, email and name pattern.
 
-Example `username/login` is `lukaszgryglicki` (like any `username/login` that can be accessed via `https://github.com/username`).
+Example `login` is `lukaszgryglicki` (like any `login` that can be accessed via `https://github.com/login`).
+
+This is sometimes called `username` but we use `login` to avoid confusion with the `name` attribute.
 
 Example name is `"Lukasz Gryglicki"`.
 
 Email pattern and name pattern are optional and `*` is assumed for them if not specified.
 
 Each pattern is a string and can be one of three possible types (and are checked tin this order):
-- `"name"` - exact match for repository name, GitHub login/username, email address, GitHub name.
-- `"re:regexp"` - regular expression match for repository name, GitHub username, or email address.
+- `"name"` - exact match for repository name, GitHub login, email address, GitHub name.
+- `"re:regexp"` - regular expression match for repository name, GitHub login, name, or email address.
 - `"*"` - matches all.
 
-So the format is like `"repository_pattern": "github_username_pattern;email_pattern;name_pattern"`. `;` is used as a separator.
+So the format is like `"repository_pattern": "login_pattern;email_pattern;name_pattern"`. `;` is used as a separator.
 
 You can also specify multiple patterns so different set is used for multiple users - in such case configuration must start with `[`, end with `]` and be `||` separated.
 
 For example: `"[copilot-swe-agent[bot];*;*||re:(?i)^l(ukasz)?gryglicki$;*;re:Gryglicki]"`.
 
-Full format is like `"repository_pattern": "[github_username_pattern;email_pattern;name_pattern||..]"`.
+Full format is like `"repository_pattern": "[login_pattern;email_pattern;name_pattern||..]"`.
 
 Other complex example: `"re:(?i)^repo\d*$": "[veerendra||re:(?i)^l(ukasz)?gryglicki$;lukaszgryglicki@o2.pl||*;*;Lukasz Gryglicki]"`.
 
 This matches one of:
-- GitHub username/login `veerendra` no matter the email and name.
-- GitHub username/login like lgryglicki, LukaszGryglicki and similar with email lukaszgryglicki@o2.pl, name doesn't matter.
-- GitHub name "Lukasz Gryglicki" email and username/login doesn't matter.
+- GitHub login `veerendra` no matter the email and name.
+- GitHub login like lgryglicki, LukaszGryglicki and similar with email lukaszgryglicki@o2.pl, name doesn't matter.
+- GitHub name "Lukasz Gryglicki" email and login doesn't matter.
 
 There can be multiple entries under one Github Organization DynamoDB entry.
 
@@ -46,7 +48,7 @@ Example:
     "skip_cla": {
       "M": {
         "*": {
-          "S": "copilot-swe-agent[bot];re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"
+          "S": "*;re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"
         },
         "re:(?i)^repo[0-9]+$": {
           "S": "re:vee?rendra;*;*"
@@ -57,21 +59,24 @@ Example:
 }
 ```
 
+For example for `copilot-swe-agent[bot]` GitHub bot the exact values returned by GitHub are: id, login, name are all nulls, email is like this `198982749+Copilot@users.noreply.github.com`.
+
 Algorithm to match pattern is as follows:
 - First we check repository name for exact match. Repository name is without the organization name, so for `https://github.com/linuxfoundation/easycla` it is just `easycla`. If we find an entry in `skip_cla` for `easycla` that entry is used and we stop searching.
 - If no exact match is found, we check for regular expression match. Only keys starting with `re:` are considered. If we find a match, we use that entry and stop searching.
 - If no match is found, we check for `*` entry. If it exists, we use that entry and stop searching.
 - If no match is found, we don't skip CLA check.
-- Now when we have the entry, it is in the following format: `github_username_pattern;email_pattern;name_pattern` or `"[github_username_pattern;email_pattern;name_pattern||...]" (array)`.
-- We check GitHub username/login, email address and name against the patterns. Algorithm is the same - username, email and name patterns can be either direct match or `re:regexp` or `*`.
-- If username, email and name match the patterns, we skip CLA check. If username or email or name is not set but the pattern is `*` it means hit.
-- So setting pattern to `username_pattern;*;*` or `username_pattern` (which is equivalent) means that we only check for username match and assume all emails and names are valid.
+- Now when we have the entry, it is in the following format: `login_pattern;email_pattern;name_pattern` or `"[login_pattern;email_pattern;name_pattern||...]" (array)`.
+- We check GitHub login, email address and name against the patterns. Algorithm is the same - login, email and name patterns can be either direct match or `re:regexp` or `*`.
+- If login, email and name match the patterns, we skip CLA check. If login, email or name is not set but the pattern is `*` it means hit.
+- So setting pattern to `login_pattern;*;*` or `login_pattern` (which is equivalent) means that we only check for login match and assume all emails and names are valid.
 - Any actor that matches any of the entries in the array will be skipped (logical OR).
-- If we set `repo_pattern` to `*` it means that this configuration applies to all repositories in the organization. If there are also specific repository patterns, they will be used instead of `*` (fallback for all).
+- If we set `repo_pattern` to `*` it means that this configuration applies to all repositories in the organization.
+- If there are also specific repository patterns, they will be used instead of `*` (fallback for all).
 
 
 There is a script that allows you to update the `skip_cla` property in the DynamoDB table. It is located in `utils/skip_cla_entry.sh`. You can run it like this:
-- `` MODE=mode ./utils/skip_cla_entry.sh 'org-name' 'repo-pattern' 'github-username-pattern;email-pattern;name_pattern' ``.
+- `` MODE=mode ./utils/skip_cla_entry.sh 'org-name' 'repo-pattern' 'login-pattern;email-pattern;name_pattern' ``.
 - `` MODE=add-key ./utils/skip_cla_entry.sh 'sun-test-org' '*' 'copilot-swe-agent[bot];*;*' ``.
 - Complex example: `` MODE=add-key ./utils/skip_cla_entry.sh 'sun-test-org' 're:(?i)^repo[0-9]+$' '[re:(?i)^l(ukasz)?gryglicki$;re:(?i)^l(ukasz)?gryglicki@;*||copilot-swe-agent[bot]]' ``.
 
@@ -91,7 +96,7 @@ aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
   --table-name "cla-prod-github-orgs" \
   --key '{"organization_name": {"S": "linuxfoundation"}}' \
   --update-expression 'SET skip_cla = :val' \
-  --expression-attribute-values '{":val": {"M": {"re:^easycla":{"S":"copilot-swe-agent[bot];*;*"}}}}'
+  --expression-attribute-values '{":val": {"M": {"re:^easycla":{"S":"some-github-login;*;*"}}}}'
 ```
 
 To add a new key to an existing `skip_cla` entry (or replace the existing key):
@@ -102,7 +107,7 @@ aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
   --key '{"organization_name": {"S": "linuxfoundation"}}' \
   --update-expression "SET skip_cla.#repo = :val" \
   --expression-attribute-names '{"#repo": "re:^easycla"}' \
-  --expression-attribute-values '{":val": {"S": "copilot-swe-agent[bot]"}}'
+  --expression-attribute-values '{":val": {"S": "some-github-login"}}'
 ```
 
 To delete a key from an existing `skip_cla` entry:
@@ -138,14 +143,14 @@ To check for log entries related to skipping CLA check, you can use the followin
 
 To add first `skip_cla` value for an organization:
 ```
-aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "open-telemetry"}}' --update-expression 'SET skip_cla = :val' --expression-attribute-values '{":val": {"M": {"otel-arrow":{"S":"copilot-swe-agent[bot];re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}}}'
-aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "openfga"}}' --update-expression 'SET skip_cla = :val' --expression-attribute-values '{":val": {"M": {"vscode-ext":{"S":"copilot-swe-agent[bot];re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}}}'
+aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "open-telemetry"}}' --update-expression 'SET skip_cla = :val' --expression-attribute-values '{":val": {"M": {"otel-arrow":{"S":"*;re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}}}'
+aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "openfga"}}' --update-expression 'SET skip_cla = :val' --expression-attribute-values '{":val": {"M": {"vscode-ext":{"S":"*;re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}}}'
 ```
 
 To add additional repositories entries without overwriting the existing `skip_cla` value:
 ```
-aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "open-telemetry"}}' --update-expression 'SET skip_cla.#repo = :val' --expression-attribute-names '{"#repo": "*"}' --expression-attribute-values '{":val": {"S": "copilot-swe-agent[bot];re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}'
-aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "openfga"}}' --update-expression 'SET skip_cla.#repo = :val' --expression-attribute-names '{"#repo": "*"}' --expression-attribute-values '{":val": {"S": "copilot-swe-agent[bot];re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$;*"}}'
+aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "open-telemetry"}}' --update-expression 'SET skip_cla.#repo = :val' --expression-attribute-names '{"#repo": "*"}' --expression-attribute-values '{":val": {"S": "*;re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$"}}'
+aws --profile lfproduct-prod --region us-east-1 dynamodb update-item --table-name "cla-prod-github-orgs" --key '{"organization_name": {"S": "openfga"}}' --update-expression 'SET skip_cla.#repo = :val' --expression-attribute-names '{"#repo": "*"}' --expression-attribute-values '{":val": {"S": "*;re:^\\d+\\+Copilot@users\\.noreply\\.github\\.com$"}}'
 ```
 
 To delete a specific repo entry from `skip_cla`:
diff --git a/cla-backend-go/github/bots.go b/cla-backend-go/github/bots.go
@@ -134,19 +134,19 @@ func parseConfigPatterns(config string) []string {
 // : in cla-{stage}-github-orgs table there can be a skip_cla field which is a dict with the following structure:
 //
 //	{
-//	    "repo-name": "<username_pattern>;<email_pattern>;<name_pattern>",
-//	    "re:repo-regexp": "[<username_pattern>;<email_pattern>;<name_pattern>||...]",
+//	    "repo-name": "<login_pattern>;<email_pattern>;<name_pattern>",
+//	    "re:repo-regexp": "[<login_pattern>;<email_pattern>;<name_pattern>||...]",
 //	    "*": "<login_pattern>"
 //	}
 //
 // where:
 //   - repo-name is the exact repository name under given org (e.g., "my-repo" not "my-org/my-repo")
 //   - re:repo-regexp is a regex pattern to match repository names
 //   - * is a wildcard that applies to all repositories
-//   - <username_pattern> is a GitHub username pattern (exact match or regex prefixed by re: or match all '*')
+//   - <login_pattern> is a GitHub login pattern (exact match or regex prefixed by re: or match all '*')
 //   - <email_pattern> is a GitHub email pattern (exact match or regex prefixed by re: or match all '*') if not specified defaults to '*'
 //   - <name_pattern> is a GitHub name pattern (exact match or regex prefixed by re: or match all '*') if not specified defaults to '*'
-//     The username/login, email and name patterns are separated by a semicolon (;). Email and name parts are optional.
+//     The login, email and name patterns are separated by a semicolon (;). Email and name parts are optional.
 //     There can be an array of patterns for a single repository, separated by ||. It must start with a '[' and end with a ']': "[...||...||...]"
 //     If the skip_cla is not set, it will skip the whitelisted bots check.
 func SkipWhitelistedBots(ev events.Service, orgModel *models.GithubOrganization, orgRepo, projectID string, actorsMissingCLA []*UserCommitSummary) ([]*UserCommitSummary, []*UserCommitSummary) {
diff --git a/cla-backend-go/swagger/common/github-organization.yaml b/cla-backend-go/swagger/common/github-organization.yaml
@@ -81,16 +81,16 @@ properties:
       - Or an OR-array in the form '[<entry1>||<entry2>||...]', where each entry uses the same pattern format above.
 
       Patterns can be:
-      - An exact match (e.g. 'repo1', 'username', 'email@domain').
+      - An exact match (e.g. 'repo1', 'login', 'Name Surname', 'email@domain').
+      - A regular expression prefixed with 're:' (e.g. 're:(?i)^bot.*$').
       - A wildcard '*' to match all.
-      - A regular expression prefixed with 're:' (e.g. 're:(?i)^bot.*').
 
       Example formats:
       - "copilot-swe-agent[bot];*;*"
       - "re:vee?rendra;*;*"
       - "[re:(?i)^l(ukasz)?gryglicki$;re:(?i)^l(ukasz)?gryglicki@;*||copilot-swe-agent[bot]]"
-      - "username;*"
-      - "username;email@domain.com;Real Name"
+      - "login;*"
+      - "login;email@domain.com;Real Name"
     example:
       "*": "copilot-swe-agent[bot];*;*"
       "repo1": "re:vee?rendra;*;*"
diff --git a/cla-backend/cla/models/github_models.py b/cla-backend/cla/models/github_models.py
@@ -969,7 +969,7 @@ def is_actor_skipped(self, actor, config):
             login_pattern, email_pattern, name_pattern = parts[:3]
             login = getattr(actor, "author_login", None)
             email = getattr(actor, "author_email", None)
-            name = getattr(actor, "author_username", None)
+            name = getattr(actor, "author_name", None)
             return (
                 self.property_matches(login_pattern, login) and
                 self.property_matches(email_pattern, email) and
@@ -1001,6 +1001,12 @@ def parse_config_patterns(self, config):
         else:
             return [config]
 
+    def safe_getattr(obj, attr, default='(null)'):
+        """Returns obj.attr or default if attr is missing or None."""
+        val = getattr(obj, attr, default)
+        if val is None:
+            return default
+        return val
 
     def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tuple[List[UserCommitSummary], List[UserCommitSummary]]:
         """
@@ -1014,18 +1020,18 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
         :return: Tuple of (actors_missing_cla, whitelisted_actors)
         : in cla-{stage}-github-orgs table there can be a skip_cla field which is a dict with the following structure:
         {
-            "repo-name": "<username_pattern>;<email_pattern>;<name_pattern>",
-            "re:repo-regexp": "[<username_pattern>;<email_pattern>;<name_pattern>||...]",
+            "repo-name": "<login_pattern>;<email_pattern>;<name_pattern>",
+            "re:repo-regexp": "[<login_pattern>;<email_pattern>;<name_pattern>||...]",
             "*": "<login_pattern>"
         }
         where:
         - repo-name is the exact repository name under given org (e.g., "my-repo" not "my-org/my-repo")
         - re:repo-regexp is a regex pattern to match repository names
         - * is a wildcard that applies to all repositories
-        - <username_pattern> is a GitHub username pattern (exact match or regex prefixed by re: or match all '*')
+        - <login_pattern> is a GitHub login pattern (exact match or regex prefixed by re: or match all '*')
         - <email_pattern> is a GitHub email pattern (exact match or regex prefixed by re: or match all '*') - defaults to '*' if not set
         - <name_pattern> is a GitHub name pattern (exact match or regex prefixed by re: or match all '*') - defaults to '*' if not set
-        :note: The username/login, email and name patterns are separated by a semicolon (;).
+        :note: The login (sometimes called username it's the same), email and name patterns are separated by a semicolon (;).
         :note: There can be an array of patterns - it must start with [ and with ] and be || separated.
         :note: If the skip_cla is not set, it will skip the whitelisted bots check.
         """
@@ -1071,10 +1077,10 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
                 return actors_missing_cla, []
 
             actor_debug_data = [
-                f"id='{getattr(a, 'author_id', '(null)')}',"
-                f"login='{getattr(a, 'author_login', '(null)')}',"
-                f"username='{getattr(a, 'author_username', '(null)')}',"
-                f"email='{getattr(a, 'author_email', '(null)')}'"
+                f"id='{safe_getattr(a, 'author_id')}',"
+                f"login='{safe_getattr(a, 'author_login')}',"
+                f"name='{safe_getattr(a, 'author_name')}',"
+                f"email='{safe_getattr(a, 'author_email')}'"
                 for a in actors_missing_cla
             ]
             config = self.parse_config_patterns(config)
@@ -1085,11 +1091,11 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
                 if actor is None:
                     continue
                 try:
-                    actor_data = "id='{}',login='{}',username='{}',email='{}'".format(
-                        getattr(actor, "author_id", "(null)"),
-                        getattr(actor, "author_login", "(null)"),
-                        getattr(actor, "author_username", "(null)"),
-                        getattr(actor, "author_email", "(null)"),
+                    actor_data = "id='{}',login='{}',name='{}',email='{}'".format(
+                        safe_getattr(actor, "author_id"),
+                        safe_getattr(actor, "author_login"),
+                        safe_getattr(actor, "author_name"),
+                        safe_getattr(actor, "author_email"),
                     )
                     cla.log.debug("Checking actor: %s for skip_cla config: %s", actor_data, config)
                     if self.is_actor_skipped(actor, config):
@@ -1111,8 +1117,13 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
                         continue
                 except Exception as e:
                     cla.log.warning(
-                        "Error checking skip_cla for actor '%s' (login='%s', email='%s'): %s",
-                        actor, getattr(actor, "author_login", None), getattr(actor, "author_email", None), e,
+                        "Error checking skip_cla for actor '%s' (id='%s', login='%s', name='%s', email='%s'): %s",
+                        actor,
+                        safe_getattr(actor, "author_id"),
+                        safe_getattr(actor, "author_login"),
+                        safe_getattr(actor, "author_name"),
+                        safe_getattr(actor, "author_email"),
+                        e,
                     )
                 out_actors_missing_cla.append(actor)
 
