search

communitybridge / easycla

The Contributor License Agreement (CLA) service of the Linux Foundation lets project contributors read, sign, and submit contributor license agreements easily.
https://easycla.lfx.linuxfoundation.org
MIT License
64 stars 45 forks source link

Project Level Approval List Bot #664

Open dealako opened 4 years ago

dealako commented 4 years ago

Summary

Project managers would like to add a bot to the approval list for their project.

Background

TODO - add more details

Additional Notes: Ha, interesting topic. Different approaches were discussed: If they want dependabot to be whitelisted, we can create a solution in EasyCLA without too much difficulty. This could easily be a Project Management console configuration item (for the repos).

David Deal 2:34 PM on 01/07/2019

On the EasyCLA project side, we can implement whatever the legal team decides. An elegant solution would look like (assuming they want to leverage the whitelist solution) - pending legal team review and approval:

  1. Project Management Console: - add an option to allow Project Managers to whitelist the dependabot…or greenekeeper bot or whatever - just need the GH ID details fo the bot - bot list is a fixed list defined by the EasyCLA team approved by the legal team (not dynamically added by PM's).
  2. Project Management Console: add edit/management control to enable/disable after the project is created - default is off for existing projects
  3. The bot details will be stored with the project/CLA Group configuration (along with the CLA template).
  4. We will modify the CLA check logic to check the flag to determine if the bot was whitelisted: repo -> project lookup -> bot whitelisted flag -> yes/no -> if no, continue with ICLA + CCLA checks.

User Story

As a project manager, I want to whitelist a bot for my entire CLA Group.

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

  1. Unit Tests added and running in CI
  2. Functional Tests updated to cover feature, if applicable
  3. Demonstrate the set of capabilities to the product team while the code is running in the STAGING environment.

References

(Optional) Provide any code or specification references that would be helpful for the developer implementing this feature.

eemeli commented 4 years ago

I encountered this issue in messageformat/gettext-to-messageformat#3, with the GitHub Dependabot. To be clear, that repo is still using jsf-clabot, but it'll be switching to easycla once that's available for OpenJS projects.

Possibly relevant here is this section of the Dependabot terms:

Intellectual Property As part of providing the Service, Dependabot generates software code contributions to the customer's repositories. For the avoidance of doubt, Dependabot grants to each customer a non-exclusive, worldwide right or license to perform, display, and use the contributions and any content contained in, accessed by or transmitted through Dependabot to customer's repositories.

Given the above, I would like for the whitelisting of Dependabot to happen automatically, without me needing to configure anything.

dealako commented 4 years ago

Moved to post V2 LFX integration.