pelson
commented
3 years ago Definitely agree that a github-action based solution is desirable. :+1:
One cursed thing to watch out for - GDPR. Since the CLAs contain personal data, the data sovereignty rules require that it needs to be held inside (and never transferred outside of) EU (of which the UK is still a member for the purposes of GDPR I believe).
There are some conditions that are put in https://docs.google.com/forms/d/e/1FAIpQLSfd0tdE-DcJOXh8ej_7T93IizwJFYBFyRWYQOi2A8QRaKwykA/viewform, and detailed more in https://docs.google.com/document/d/1GOQxT5t4vc6i28OfghczAVz0tHUWHRsHGPcT1R5zTKk/edit. To quote that CLA:
Your GitHub username will be published on a public website in order to permit Developers of SciTools Projects to ascertain that your contribution is covered by a signed CLA. Your Personal Data will be stored on a Google Drive account belonging to the SciTools administrators and may therefore result in the data leaving the European Economic Area. For further information, please see Google’s Privacy Policy.
A similar statement could be made for a github-actions based CLA checker - you would need to seek (Met Office) legal advice to change that though, and I'm not certain that you can retroactively apply the new condition on existing signatures, so you might have to get everybody to re-sign the CLA.
It's rather opaque as to how the CLA checker for scitools projects operates and is dependent on an additional third party service (heroku).
This market is now quite mature, could we replace the CLA checker with a service offering, or a community supported github action such as https://github.com/cla-assistant/github-action?