From 45af982bffca72e4ad5cd81601b75bdb4c58a1f0 Mon Sep 17 00:00:00 2001
From: Brian Cooper <brian@brian-cooper.com>
Date: Mon, 23 Mar 2026 15:54:57 -0400
Subject: [PATCH] fix(cla): forward status to PR head commit

`pull_request_target` runs against the base branch SHA, so the
check run and any status the CLA action posts land on the wrong
commit. This causes org-level required-check rulesets (like "CLA
Required") to stay stuck on "expected" because GitHub never sees
the `cla / cla` context on the actual PR head.

Add a step that explicitly posts the CLA outcome (success or
failure) to `github.event.pull_request.head.sha` after the CLA
action runs. Also add `workflow_call` to the job/step conditions
so the workflow works correctly when invoked as a reusable workflow.
---
 .github/workflows/cla.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 904211a..9e11f81 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -21,11 +21,14 @@ jobs:
     runs-on: ubuntu-latest
     if: >
       github.event_name == 'pull_request_target'
+      || github.event_name == 'workflow_call'
       || (github.event_name == 'issue_comment' && github.event.issue.pull_request)
     steps:
       - name: CLA Assistant
+        id: cla-check
         if: >
           github.event_name == 'pull_request_target'
+          || github.event_name == 'workflow_call'
           || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
           || github.event.comment.body == 'recheck'
         uses: contributor-assistant/github-action@v2.6.1
@@ -52,3 +55,25 @@ jobs:
           custom-allsigned-prcomment: "All contributors have signed the CLA."
           lock-pullrequest-aftermerge: "true"
           suggest-recheck: "true"
+
+      # Forward CLA status to the PR head commit. `pull_request_target`
+      # runs against the base branch SHA, so the status the CLA action
+      # posts never lands on the PR head — causing required-check rules
+      # to stay stuck on "expected".
+      - name: Forward CLA status to PR head
+        if: always() && github.event.pull_request.head.sha
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ steps.cla-check.outcome }}" = "success" ]; then
+            STATE="success"
+            DESC="All contributors have signed the CLA."
+          else
+            STATE="failure"
+            DESC="CLA signature required."
+          fi
+
+          gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -f state="$STATE" \
+            -f context="cla / cla" \
+            -f description="$DESC"