Skip to content

pre-relase #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nhorton merged 6 commits into from
Jan 14, 2026
Merged

pre-relase #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fb25019
Initial plan
Copilot Jan 14, 2026
b668543
Add BSL 1.1 license, CLA, and GitHub CLA enforcement
Copilot Jan 14, 2026
ab632ef
Add CLA Assistant setup documentation
Copilot Jan 14, 2026
c450cc1
Update pyproject.toml to reflect BSL 1.1 license
Copilot Jan 14, 2026
f268a08
Address code review feedback: use dynamic repo URL and placeholder ti…
Copilot Jan 14, 2026
6d29ceb
Address review feedback: update CLA language and remove unnecessary l…
Copilot Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 171 additions & 0 deletions .github/CLA_SETUP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
# CLA Assistant Setup Guide

This document explains how to set up the CLA Assistant GitHub Action to automatically enforce Contributor License Agreement (CLA) signing for all pull requests.

## Overview

The CLA Assistant GitHub Action (`.github/workflows/cla.yml`) automatically:
- Comments on new pull requests asking contributors to sign the CLA
- Tracks who has signed the CLA in `.github/CLA_SIGNATORIES.json`
- Updates PR status checks based on CLA signature status
- Allows contributors to sign by commenting on their PR

## Prerequisites

To enable CLA enforcement, a repository administrator must create a Personal Access Token (PAT) with appropriate permissions.

## Setup Instructions

### 1. Create a Personal Access Token (PAT)

The CLA Assistant needs a PAT to commit signature data back to the repository.

**Steps:**

1. Go to GitHub Settings → Developer settings → Personal access tokens → Fine-grained tokens
- URL: https://github.com/settings/tokens?type=beta

2. Click **"Generate new token"**

3. Configure the token:
- **Token name**: `CLA Assistant - DeepWork`
- **Expiration**: Choose appropriate expiration (recommend 1 year, then renew)
- **Repository access**: Select "Only select repositories" and choose `Unsupervisedcom/deepwork`

4. Under **"Permissions"**, configure **Repository permissions**:
- **Contents**: Read and write (required to commit signatures)
- **Pull requests**: Read and write (required to comment and update status)
- **Metadata**: Read-only (automatically selected)

5. Click **"Generate token"** and **copy the token** (you won't be able to see it again)

### 2. Add the PAT to Repository Secrets

1. Go to the DeepWork repository settings:
- URL: https://github.com/Unsupervisedcom/deepwork/settings/secrets/actions

2. Click **"New repository secret"**

3. Add the secret:
- **Name**: `CLA_ASSISTANT_PAT`
- **Value**: Paste the PAT you generated in step 1

4. Click **"Add secret"**

### 3. Verify the Setup

To verify the CLA Assistant is working:

1. **Create a test pull request** from a different GitHub account (or ask a team member to create one)

2. **Check for the CLA comment**: The CLA Assistant bot should automatically comment on the PR with instructions to sign the CLA

3. **Sign the CLA**: Comment on the PR with:
```
I have read the CLA Document and I hereby sign the CLA
```

4. **Verify signature tracking**: After signing, a new commit should be added to the main branch updating `.github/CLA_SIGNATORIES.json`

5. **Check PR status**: The PR status check should update to show "All contributors have signed the CLA ✅"

## How It Works

### For Contributors

When a contributor opens a pull request:

1. The CLA Assistant bot comments with a link to the CLA and instructions
2. The contributor reads the CLA at `/CLA.md`
3. The contributor signs by commenting: `I have read the CLA Document and I hereby sign the CLA`
4. The bot records the signature in `.github/CLA_SIGNATORIES.json`
5. The bot updates the PR status to indicate CLA is signed
6. Future PRs from the same contributor don't require re-signing

### Signature Storage

Signatures are stored in `.github/CLA_SIGNATORIES.json` in the following format:

```json
{
"signedContributors": [
{
"name": "username",
"id": 12345678,
"comment_id": 987654321,
"created_at": "YYYY-MM-DDTHH:MM:SSZ",
"repoId": 123456789,
"pullRequestNo": 42
}
]
}
```

This file is automatically created and updated by the CLA Assistant.

## Troubleshooting

### CLA Assistant Not Commenting on PRs

**Possible causes:**
- The `CLA_ASSISTANT_PAT` secret is not set or has expired
- The PAT doesn't have the required permissions
- The workflow file has syntax errors

**Solutions:**
1. Check that the secret exists in repository settings
2. Verify PAT permissions (Contents: write, Pull requests: write)
3. Check the Actions tab for workflow errors

### Signatures Not Being Recorded

**Possible causes:**
- The PAT doesn't have write access to Contents
- Branch protection rules prevent the bot from committing

**Solutions:**
1. Verify the PAT has "Contents: Read and write" permission
2. Check branch protection rules and add the CLA Assistant as an exception if needed

### Contributor Signed But Status Still Shows Unsigned

**Possible causes:**
- The comment text was not exact
- The workflow didn't trigger

**Solutions:**
1. Ensure the comment is exactly: `I have read the CLA Document and I hereby sign the CLA`
2. Try commenting `recheck` to trigger the workflow again
3. Check the Actions tab to see if the workflow ran

## Allowlist

The following accounts are automatically exempt from CLA requirements:
- `dependabot[bot]`
- `github-actions[bot]`

To add more accounts to the allowlist, edit `.github/workflows/cla.yml` and update the `allowlist` field.

## Token Rotation

For security, rotate the PAT periodically:

1. Generate a new PAT following the steps above
2. Update the `CLA_ASSISTANT_PAT` secret with the new token
3. Delete the old PAT from GitHub settings

Recommended rotation period: Every 12 months

## Additional Resources

- [CLA Assistant GitHub Action Documentation](https://github.com/contributor-assistant/github-action)
- [GitHub Personal Access Tokens Guide](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
- [DeepWork CLA](../CLA.md)
- [DeepWork License](../LICENSE.md)

## Support

For questions or issues with CLA setup, please:
- Open an issue in the repository
- Contact the repository administrators
- Email legal@unsupervised.com for legal questions about the CLA
27 changes: 27 additions & 0 deletions .github/CLA_SIGNATORIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# CLA Signatories

This file tracks individual contributors who have signed the Contributor License Agreement (CLA) for the DeepWork project.

## Individual Contributors

| GitHub Username | Date Signed | Signature Method |
|-----------------|-------------|------------------|
| <!-- Add your GitHub username here --> | | |

---

## How to Sign

1. **Automated Method (Recommended)**: When you submit your first pull request, the CLA Assistant bot will guide you through signing the CLA electronically.

2. **Manual Method**: Add your GitHub username to the table above by creating a pull request. Your PR will be reviewed and merged once verified.

---

## Corporate Contributors

Organizations that have signed the Corporate CLA are tracked separately. If you are contributing on behalf of your employer, please ensure your organization has signed the Corporate CLA by contacting legal@unsupervised.com.

---

For questions about the CLA, see [CLA.md](../CLA.md) or contact legal@unsupervised.com.
43 changes: 43 additions & 0 deletions .github/workflows/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: "CLA Assistant"

on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, closed, synchronize]

# Explicitly set permissions for the workflow
permissions:
actions: write
contents: write
pull-requests: write
statuses: write

jobs:
cla-check:
runs-on: ubuntu-latest
steps:
- name: "CLA Assistant"
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
uses: contributor-assistant/github-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# This should be a Personal Access Token with repo scope
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ASSISTANT_PAT }}
with:
path-to-signatures: '.github/CLA_SIGNATORIES.json'
path-to-document: 'https://github.com/${{ github.repository }}/blob/main/CLA.md'
# Branch where CLA signatures will be stored
branch: 'main'
allowlist: 'dependabot[bot],github-actions[bot]'

# Customizable messages
remote-organization-name: 'Unsupervised.com, Inc.'
remote-repository-name: 'deepwork'

# Custom text for the CLA comment
custom-pr-sign-comment: 'I have read the CLA Document and I hereby sign the CLA'
custom-allsigned-prcomment: 'All contributors have signed the CLA. ✅'

lock-pullrequest-aftermerge: false
use-dco-flag: true
124 changes: 124 additions & 0 deletions CLA.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
# Contributor License Agreement (CLA)

Thank you for your interest in contributing to DeepWork, a project by Unsupervised.com, Inc. ("We" or "Us").

This Contributor License Agreement ("Agreement") documents the rights granted by contributors to Us. To make this document effective, please follow the instructions at the end of this document.

## Definitions

**"You"** means the individual who Submits a Contribution to Us.

**"Contribution"** means any work of authorship that is Submitted by You to Us in which You own or assert ownership of the Copyright.

**"Copyright"** means all rights protecting works of authorship owned or controlled by You, including copyright, moral and neighboring rights, as appropriate, for the full term of their existence including any extensions by You.

**"Material"** means the work of authorship which is made available by Us to third parties. When this Agreement covers more than one software project, the Material means the work of authorship to which the Contribution was Submitted. After You Submit the Contribution, it may be included in the Material.

**"Submit"** means any form of electronic, verbal, or written communication sent to Us or our representatives, including but not limited to electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Us for the purpose of discussing and improving the Material, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."

**"Submission Date"** means the date on which You Submit a Contribution to Us.

**"Effective Date"** means the date You sign this Agreement or the date You first Submit a Contribution to Us, whichever is earlier.

## Grant of Rights

### 1. Copyright License

(a) You retain ownership of the Copyright in Your Contribution and have the same rights to use or license the Contribution which You would have had without entering into the Agreement.

(b) To the maximum extent permitted by the relevant law, You grant to Us a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license under the Copyright covering the Contribution, with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute the Contribution as part of the Material; provided that this license is conditioned upon compliance with Section 3.

### 2. Patent License

For patent claims including, without limitation, method, process, and apparatus claims which You own, control or have the right to grant, now or in the future, You grant to Us a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable patent license, with the right to sublicense these rights to multiple tiers of sublicensees, to make, have made, use, sell, offer for sale, import and otherwise transfer the Contribution and the Contribution in combination with the Material (and portions of such combination). This license is granted only to the extent that the exercise of the licensed rights infringes such patent claims; and provided that this license is conditioned upon compliance with Section 3.

### 3. Outbound License

As a condition on the grant of rights in Sections 1 and 2, We agree to license the Contribution only under the terms of the Business Source License 1.1 (including any Additional Use Grant, Change Date, and Change License specified therein) or any future version of the Business Source License released by MariaDB Corporation Ab, or the Apache License, Version 2.0 or any later version.

In addition, We may use the following licenses for Media in the Contribution: Creative Commons Attribution 4.0 International (CC BY 4.0) or any later version (including any right to adopt any future version of a license if permitted).

### 4. Moral Rights

If moral rights apply to the Contribution, to the maximum extent permitted by law, You waive and agree not to assert such moral rights against Us or our successors in interest, or any of our licensees, either direct or indirect.

### 5. Our Rights

You acknowledge that We are not obligated to use Your Contribution as part of the Material and may decide to include any Contribution We consider appropriate.

### 6. Reservation of Rights

Any rights not expressly licensed under this section are expressly reserved by You.

## Agreement

### 1. You Warrant That

(a) You have the legal authority to enter into this Agreement.

(b) You own the Copyright and patent claims covering the Contribution which are required to grant the rights under Section 2.

(c) The grant of rights under Section 2 does not violate any grant of rights which You have made to third parties, including Your employer. If You are an employee, You have had Your employer approve this Agreement or sign the Entity version of this document. If You are less than eighteen years old, please have Your parents or guardian sign the Agreement.

### 2. Developer Certificate of Origin

By making a Contribution to this project, You certify that:

(a) The Contribution was created in whole or in part by You and You have the right to submit it under the open source license indicated in the file; or

(b) The Contribution is based upon previous work that, to the best of Your knowledge, is covered under an appropriate open source license and You have the right under that license to submit that work with modifications, whether created in whole or in part by You, under the same open source license (unless You are permitted to submit under a different license), as indicated in the file; or

(c) The Contribution was provided directly to You by some other person who certified (a), (b) or (c) and You have not modified it.

(d) You understand and agree that this project and the Contribution are public and that a record of the Contribution (including all personal information You submit with it, including Your sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

### 3. License Compliance

You agree that Your Contributions will not be used in violation of the prohibited uses specified in the Business Source License 1.1 under which the Licensed Work is distributed. Specifically, You acknowledge that:

(a) The Licensed Work cannot be used to create products or services that compete with DeepWork or Unsupervised.com, Inc. in the fields of workflow automation or data analysis, as detailed in the LICENSE.md file.

(b) Your Contributions, once accepted, will be subject to these same restrictions until the Change Date specified in the license.

(c) After the Change Date, Your Contributions will be available under the Change License (Apache License, Version 2.0) as specified in the Business Source License 1.1.

## Disclaimer

EXCEPT FOR THE EXPRESS WARRANTIES IN SECTION 3, THE CONTRIBUTION IS PROVIDED "AS IS". MORE PARTICULARLY, ALL EXPRESS OR IMPLIED WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE EXPRESSLY DISCLAIMED BY YOU TO US. TO THE EXTENT THAT ANY SUCH WARRANTIES CANNOT BE DISCLAIMED, SUCH WARRANTY IS LIMITED IN DURATION TO THE MINIMUM PERIOD PERMITTED BY LAW.

## Consequential Damage Waiver

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL YOU BE LIABLE FOR ANY LOSS OF PROFITS, LOSS OF ANTICIPATED SAVINGS, LOSS OF DATA, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL AND EXEMPLARY DAMAGES ARISING OUT OF THIS AGREEMENT REGARDLESS OF THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH THE CLAIM IS BASED.

## Miscellaneous

This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, excluding its conflicts of law provisions. Under certain circumstances, the governing law in this section might be superseded by the United Nations Convention on Contracts for the International Sale of Goods ("UN Convention") and the parties intend to avoid the application of the UN Convention to this Agreement and, thus, exclude the application of the UN Convention in its entirety to this Agreement.

---

## How to Sign

By signing this Agreement, You accept and agree to the terms and conditions contained herein.

### For Individual Contributors

To sign this CLA, please add your GitHub username to the list of signatories by creating a pull request that adds your name to the `.github/CLA_SIGNATORIES.md` file, or alternatively, sign the CLA through our automated CLA Assistant when you submit your first pull request.

When you submit a pull request, the CLA Assistant bot will automatically check if you have signed the CLA and guide you through the process if you haven't.

### For Corporate Contributors

If you are contributing on behalf of your employer or another entity, that entity must sign the Corporate CLA. Please contact legal@unsupervised.com to obtain and execute the Corporate CLA.

---

## Questions?

If you have questions about this CLA, please contact us at legal@unsupervised.com or open an issue in the repository.

---

**DeepWork Project**
**Unsupervised.com, Inc.**
**Version 1.0**
**Effective Date: January 14, 2026**
Loading
Loading