This is a set of tools for dealing with Contributor License Agreements for Open Source Salesforce projects. This repository is affectionately referred to as "Dr. Claw" after the Inspector Gadget villain.
The tools provided are:
- Pull Request CLA Verifier
- GitHub Org Audit
This application is built with:
- Play Framework 2.5
- Scala
- Postgres
- Heroku Connect
- Reactive I/O (Non-Blocking)
When someone sends a Pull Request to a project on GitHub, a Webhook sends details to this app. The authors of the commits in the PR are checked to see if they are collaborators on the repo. If not, the app checks if they have signed CLAs. If there are missing CLAs then the status of the PR is set to failed. Otherwise it is set to success. Also if there are missing CLAs then a comment is posted on the PR asking the contributors to sign the CLA. Once a contributor signs a CLA, all of the open PRs are revalidated.
ORG_NAME = Your organization's name
ORG_URL = A homepage to redirect to when someone visits /
ORG_EMAIL = An email users can reach out to you at
ORG_LOGO = URL to a logo you want to display
ORG_CLA = URL to the CLA text
ORG_DOMAIN = Domain name that internal users will have in their git commit emails
ORG_INTERNAL_INSTRUCTIONS_URL = URL with instructions for internal users who are not on the org
-
Install Java 8
-
Install Postgres
-
Install ngrok
-
Start ngrok:
ngrok http 9000
-
Create local Postgres databases:
$ psql # CREATE ROLE salesforcecla LOGIN password 'password'; # CREATE DATABASE salesforcecla ENCODING 'UTF8' OWNER salesforcecla; # CREATE DATABASE "salesforcecla-test" ENCODING 'UTF8' OWNER salesforcecla;
-
Setup a new OAuth App for CLA signing:
- This will be at:
https://github.com/organizations/{your-organization}/settings/applications/new
- Application name =
Something descriptive
- Authorization callback URL =
https://YOUR_NGROK_ID.ngrok.io/_github_oauth_callback
- Homepage URL =
https://YOUR_NGROK_ID.ngrok.io/
- Once finished, set the
GITHUB_CLIENT_ID
andGITHUB_CLIENT_SECRET
env vars accordingly
- This will be at:
-
Setup a new GitHub App with the following settings:
- Webhook URL =
https://YOUR_NGROK_ID.ngrok.io/webhook-integration
- User authorization callback URL =
https://YOUR_NGROK_ID.ngrok.io/_github_app_oauth_callback
- Repository administration =
Read-only
- Commit statuses =
Read & Write
- Issues =
Read & Write
- Pull requests =
Read & Write
- Repository contents =
Read-only
- Organization members =
Read-only
- Under Subscribe to events select Pull request
It is not required, but if you set the GitHub Integration Secret Token, then set the
GITHUB_INTEGRATION_SECRET_TOKEN
env var accordingly. - Webhook URL =
-
Set the
GITHUB_INTEGRATION_CLIENT_ID
andGITHUB_INTEGRATION_CLIENT_SECRET
env vars with the OAuth app associated with the GitHub App. -
Generate and save a new Private key for the new Integration, then set the
GITHUB_INTEGRATION_PRIVATE_KEY
env var accordingly, like:export GITHUB_INTEGRATION_PRIVATE_KEY=$(cat ~/somewhere/your-integration.2017-02-07.private-key.pem)
-
Your new GitHub App will have a numeric id, set the
GITHUB_INTEGRATION_ID
env var accordingly. -
Your new GitHub App will have a slug / URL friendly name, set the
GITHUB_INTEGRATION_SLUG
env var accordingly. -
Set the
GITHUB_BOT_NAME
env var to the value of what you'd like your public facing bot to appear as
export GITHUB_BOT_NAME=salesforce-cla
-
Start the web app:
$ ./sbt ~run
-
Authenticate to GitHub with your test user
-
Open the audit page:
https://SOMETHING.ngrok.com/audit
-
You should see a list of organizations which have the GitHub App installed and which you are an admin of
-
In GitHub edit the
README
file the testing repo and submit a pull request -
This will make a webhook request to your local application and validate the CLA status of the submitter
-
You can see event deliveries in the Developer Settings for your GitHub App
-
If you make a PR with a testing user that is not part of the org, you should see the PR validation failure and be able to sign the CLA
-
You will need two GitHub testing users. For each, create a personal access token with the following permissions:
admin:org, admin:org_hook, admin:public_key, admin:repo_hook, delete_repo, repo, user
-
For user one, create a new testing organization (because this can't be done via the API). Add the second user as a member of this org.
-
For user one, install the GitHub App into the user's account and into the testing org.
-
Set the
GITHUB_TEST_TOKEN1
,GITHUB_TEST_ORG
, andGITHUB_TEST_TOKEN2
env vars. -
Run all of the tests continuously:
$ ./sbt ~test
1 Run just the GitHubSpec
tests continuously:
$ ./sbt ~testOnly utils.GitHubSpec
This repo is licensed under the BSD-3-Clause.