diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 904211a..9e11f81 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -21,11 +21,14 @@ jobs:
     runs-on: ubuntu-latest
     if: >
       github.event_name == 'pull_request_target'
+      || github.event_name == 'workflow_call'
       || (github.event_name == 'issue_comment' && github.event.issue.pull_request)
     steps:
       - name: CLA Assistant
+        id: cla-check
         if: >
           github.event_name == 'pull_request_target'
+          || github.event_name == 'workflow_call'
           || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
           || github.event.comment.body == 'recheck'
         uses: contributor-assistant/github-action@v2.6.1
@@ -52,3 +55,25 @@ jobs:
           custom-allsigned-prcomment: "All contributors have signed the CLA."
           lock-pullrequest-aftermerge: "true"
           suggest-recheck: "true"
+
+      # Forward CLA status to the PR head commit. `pull_request_target`
+      # runs against the base branch SHA, so the status the CLA action
+      # posts never lands on the PR head — causing required-check rules
+      # to stay stuck on "expected".
+      - name: Forward CLA status to PR head
+        if: always() && github.event.pull_request.head.sha
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ steps.cla-check.outcome }}" = "success" ]; then
+            STATE="success"
+            DESC="All contributors have signed the CLA."
+          else
+            STATE="failure"
+            DESC="CLA signature required."
+          fi
+
+          gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -f state="$STATE" \
+            -f context="cla / cla" \
+            -f description="$DESC"