CLA

F-019: docs(cli): document --allow-secrets risk in help text #48

	# SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
	#
	# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Commercial

	name: CLA

	on:
	issue_comment:
	types: [created]
	pull_request_target:
	types: [opened, closed, synchronize]

	# Note: github.event.comment.body in the step-level `if:` is evaluated by
	# the GHA runner (not shell-interpolated) — no injection risk.

	permissions:
	actions: write
	contents: write
	pull-requests: write
	statuses: write

	jobs:
	cla-check:
	name: CLA Signature
	runs-on: ubuntu-24.04
	timeout-minutes: 5
	steps:
	- uses: contributor-assistant/github-action@v2.6.1
	if: >-
	github.event_name == 'pull_request_target'
	\|\| github.event.comment.body == 'recheck'
	\|\| github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
	with:
	path-to-document: "https://github.com/${{ github.repository }}/blob/development/CLA.md"
	path-to-signatures: "signatures/version1/cla.json"
	branch: "cla-signatures"
	allowlist: "Sephyi,dependabot[bot],renovate[bot],github-actions[bot]"
	lock-pullrequest-aftermerge: true
	custom-notsigned-prcomment: >-
	Thank you for your contribution! Before we can merge this PR,
	you need to sign the [Contributor License Agreement](CLA.md).
	To sign, please reply with a comment containing exactly:
	`I have read the CLA Document and I hereby sign the CLA.`
	You only need to sign once.
	custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA."
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback