Add CLA workflow

[walkowif]

Required for: https://github.com/insightsengineering/idr-tasks/issues/355

[gowerc]

@walkowif - Apologies I'm not that versed in this, would you mind just explaining (in simple terms) what this is about and what this change does ?

[cicdguy]

Hi @gowerc, this is sort of like our DCO (Developer Certificate of Origin), but in the form of a CLA (Contributor License Agreement). See https://opensource.com/article/18/3/cla-vs-dco-whats-difference to know what these are.

This is to make sure that contributors acknowledge that they did not take code or data from somewhere else (closed source/restricted locations) before getting their PR merged or issues created.

[gowerc]

@cicdguy - Thanks for the link, and what does the updated action do exactly then ?

[cicdguy]

@cicdguy - Thanks for the link, and what does the updated action do exactly then ?

The workflow will trigger when a PR is updated (a comment is added or changes are made). The CLA bot will post a comment asking contributors to sign (see here for an example). Contributors then need to "sign" the CLA (see example here) and the signature is recorded for that contributor for that repository.

[gowerc]

Sorry do you have any alternative links. Apologies if I'm being dim but theres nothing that stands out to me on that ticket as an example of what you mean.

[gowerc]

@cicdguy, why was this merged? I was purposefully not merging this PR as I still had concerns about what the implication to getting open source contributors and the fact this might put off other companies from contributing / using the package. I also hadn't yet consulted with our Biostats stakeholders about if they were ok with this.

[cicdguy]

@epijim - should we allow repositories to opt out of this? See @gowerc's comments above.