chore: narrow BSL Additional Use Grant and add CLA#408
Conversation
Rewrite the BSL 1.1 Additional Use Grant to permit free production use for non-competing organizations with fewer than 500 employees. Add a Contributor License Agreement (CLA) with automated PR enforcement via contributor-assistant/github-action to enable dual-licensing. Add a docs/licensing.md page explaining the rationale, what's permitted, and inviting feedback. Add a License & Usage section to the landing page. Update the release workflow to auto-roll the BSL Change Date to 3 years ahead inside each Release Please PR. Closes #406
- Update actions/checkout from v4 to v6 in cla.yml and release.yml (consistency with rest of repo) - Pin locale (LC_TIME=C) in release.yml date computation - Add docs/licensing.md and CLA workflow to CLAUDE.md documentation - Clarify Change Date wording in docs/licensing.md
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces significant updates to the project's licensing strategy, aiming to balance open access with sustainable development. It refines the Business Source License (BSL) 1.1's 'Additional Use Grant' to be more permissive for smaller, non-competing organizations, while simultaneously implementing a Contributor License Agreement (CLA) to enable dual-licensing. These changes are supported by extensive new documentation and automated processes for managing license terms and contributor agreements. Highlights
Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces significant updates to the project's licensing model, moving to a more permissive BSL grant and adding a CLA. The changes are well-documented and consistently applied across the repository, including updates to the README, contribution guidelines, and the project website. My review found only minor opportunities to improve the consistency of the license summary in public-facing documents to more accurately reflect the formal license terms.
README.md
Outdated
| ## License | ||
|
|
||
| [Business Source License 1.1](LICENSE) — converts to Apache 2.0 on 2030-02-27. | ||
| [Business Source License 1.1](LICENSE) — free production use for non-competing organizations with fewer than 500 employees. Converts to Apache 2.0 on 2030-02-27. See [licensing details](https://synthorg.io/docs/licensing/) for the full rationale and what's permitted. |
There was a problem hiding this comment.
For clarity and consistency with the LICENSE file, it would be better to mention contractors as well when defining the employee threshold. The official definition in the license includes "employees and individual contractors".
| [Business Source License 1.1](LICENSE) — free production use for non-competing organizations with fewer than 500 employees. Converts to Apache 2.0 on 2030-02-27. See [licensing details](https://synthorg.io/docs/licensing/) for the full rationale and what's permitted. | |
| [Business Source License 1.1](LICENSE) — free production use for non-competing organizations with fewer than 500 employees and contractors. Converts to Apache 2.0 on 2030-02-27. See [licensing details](https://synthorg.io/docs/licensing/) for the full rationale and what's permitted. |
site/src/pages/index.astro
Outdated
| <div class="w-12 h-12 rounded-lg bg-teal-600/20 flex items-center justify-center text-teal-400 mb-4 text-xl">✓</div> | ||
| <h3 class="text-xl font-semibold mb-3 text-teal-400">Free in Production</h3> | ||
| <ul class="text-gray-400 space-y-2 text-sm"> | ||
| <li>Organizations with <500 employees</li> |
There was a problem hiding this comment.
To maintain consistency with the official license terms, I suggest including "and contractors" here. The LICENSE file specifies the threshold as "fewer than 500 employees and individual contractors". This makes the summary on the landing page more accurate.
<li>Organizations with <500 employees and contractors</li>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughSummary by CodeRabbit
WalkthroughNarrowed the BSL 1.1 Additional Use Grant to permit free production use for non‑competing organizations with <500 employees/contractors; added a Contributor License Agreement (CLA) and enforcement workflow, docs/site updates, changelog entry, and a release step to auto-update the BSL Change Date. Changes
Sequence Diagram(s)sequenceDiagram
actor Contributor
participant GitHub as GitHub (PR)
participant Workflow as CLA Workflow
participant Assistant as CLA Assistant
participant Repo as Repository
Contributor->>GitHub: Open pull request
GitHub->>Workflow: Trigger pull_request_target
Workflow->>Assistant: Run with CLA.md & .github/cla-signatures.json
Assistant->>Repo: Check `.github/cla-signatures.json` for signature
alt Signature not found
Assistant->>GitHub: Post signing instructions comment
Contributor->>GitHub: Reply with exact CLA sign text
GitHub->>Workflow: Trigger issue_comment
Workflow->>Assistant: Run on comment match
Assistant->>Repo: Record signature in `.github/cla-signatures.json`
Assistant->>GitHub: Post success message
else Signature found
Assistant->>GitHub: Post success message
end
Workflow->>GitHub: Set CLA check status for PR
sequenceDiagram
participant DevOps as Release Process
participant Actions as GitHub Actions
participant ReleaseBot as release-please
participant Git as Git Repository
participant License as LICENSE file
DevOps->>Actions: Trigger release workflow
Actions->>ReleaseBot: run release-please (id: release)
ReleaseBot->>Git: Create/update release PR
alt Release PR exists
Actions->>Git: Checkout release PR branch
Actions->>Actions: Compute new BSL Change Date (now + 3 years)
Actions->>License: Update Change Date line in LICENSE
Actions->>Git: Commit & push changes to release PR branch
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
📝 Coding Plan
Comment |
- Add persist-credentials: false to CLA workflow checkout - Suppress dangerous-triggers for CLA (pull_request_target required, mitigated by ref: main checkout) - Suppress artipacked for release.yml (credentials needed to push Change Date commit to release PR branch)
There was a problem hiding this comment.
Pull request overview
This PR updates SynthOrg’s licensing posture and contributor process by narrowing the BSL 1.1 Additional Use Grant, adding a CLA with automated enforcement, and expanding documentation/site copy to explain what’s permitted.
Changes:
- Narrow BSL 1.1 Additional Use Grant to allow free production use for non-competing orgs under 500 employees, with clearer terms in
LICENSE. - Add licensing documentation (
docs/licensing.md) and wire it into MkDocs navigation and site/README links. - Introduce a CLA (
CLA.md) plus a GitHub Actions workflow to enforce/record CLA signatures; update release automation to bump BSL Change Date.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
site/src/pages/index.astro |
Updates landing page licensing messaging, adds a License & Usage section, and adjusts legal link destinations. |
README.md |
Updates license badge text and expands the license section summary with a docs link. |
mkdocs.yml |
Adds the new Licensing page to the MkDocs nav. |
LICENSE |
Replaces Additional Use Grant text with the new production-use criteria and thresholds. |
docs/licensing.md |
Adds a detailed licensing rationale/FAQ and usage guidance page. |
docs/index.md |
Updates license link text and adds a link to the new Licensing & Usage page. |
CLAUDE.md |
Updates repo overview to reflect the licensing/CLA additions and release workflow behavior. |
CLA.md |
Adds the Contributor License Agreement text and signing instructions. |
.github/workflows/release.yml |
Adds a step to auto-update the BSL Change Date on release PR creation/update. |
.github/workflows/cla.yml |
Adds automated CLA signature checking/recording via contributor-assistant. |
.github/CONTRIBUTING.md |
Updates contributing docs to mention the CLA requirement and process. |
.github/cla-signatures.json |
Adds the initial signatures store for CLA automation. |
.github/CHANGELOG.md |
Documents licensing/CLA/release-automation changes in the changelog. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <p class="text-sm tracking-widest text-violet-400 mb-6 font-mono"> | ||
| Python 3.14+ · BSL 1.1 · Open Source | ||
| Python 3.14+ · BSL 1.1 · Source Available |
site/src/pages/index.astro
Outdated
| <a href="/docs/architecture/" class="text-teal-400 hover:underline">architecture docs</a>, and | ||
| <a href="/docs/roadmap/" class="text-teal-400 hover:underline">roadmap</a>. | ||
| Licensed under BSL 1.1, converting to Apache 2.0 on 2030-02-27. | ||
| Licensed under BSL 1.1, converting to Apache 2.0 automatically. |
site/src/pages/index.astro
Outdated
| <li>Organizations with <500 employees</li> | ||
| <li>Internal tools and automation</li> | ||
| <li>Products where SynthOrg is not the core value</li> | ||
| <li>No separate license needed</li> |
docs/licensing.md
Outdated
| | Production use by large org (500+ employees) | Contact us | Commercial license | | ||
| | Offering SynthOrg as a hosted/managed service | Contact us | Commercial license | | ||
| | Reselling or embedding SynthOrg as your core product | Contact us | Commercial license | | ||
| | Contributing to SynthOrg | Yes | Sign the [CLA](https://github.com/Aureliolo/synthorg/blob/main/CLA.md) | | ||
|
|
.github/workflows/cla.yml
Outdated
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'dependabot[bot]') || | ||
| (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, 'I have read the CLA')) |
Greptile SummaryThis PR narrows the BSL 1.1 Additional Use Grant to a targeted free-use grant (non-competing organizations with <500 employees), adds an Apache ICLA-based CLA with automated bot enforcement, introduces a Key findings:
Confidence Score: 3/5
Important Files Changed
Prompt To Fix All With AIThis is a comment left during a code review.
Path: .github/workflows/cla.yml
Line: 16
Comment:
**Missing bot/owner allowlist — CLA bot will fire on Release Please PRs**
The only excluded actor is `dependabot[bot]`, but Release Please also opens PRs to `main` — under `RELEASE_PLEASE_TOKEN`. If that token is a PAT, the CLA action will run against the PAT owner's GitHub account, prompting them (via bot comment) to sign the CLA on every release PR. If it is a GitHub App token, the action will attempt to check the app identity, which cannot sign.
`contributor-assistant/github-action` exposes an `allowlist` parameter for exactly this purpose. It accepts a comma-separated list of GitHub usernames (and supports wildcard `*bot*` patterns). Without it, every Release Please PR, plus any PR opened by the repo owner, generates an unnecessary CLA-unsigned comment.
```suggestion
if: |
(github.event_name == 'pull_request_target' &&
github.event.pull_request.user.login != 'dependabot[bot]' &&
!endsWith(github.event.pull_request.user.login, '[bot]')) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')
```
Or, preferably, pass an `allowlist` to the action itself so the logic lives in one place:
```yaml
with:
# …existing params…
allowlist: Aureliolo,github-actions[bot],release-please[bot]
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: LICENSE
Line: 354
Comment:
**Change Date inconsistent with new "3 years per release" policy**
The current `Change Date: February 27, 2030` was set under the old policy and is roughly 4 years from the project's initial release date. The new policy (documented in `docs/licensing.md`, `README.md`, and `CLAUDE.md`) states the Change Date is "3 years after each release."
For `v0.1.4` (released 2026-03-14), a 3-year Change Date would be approximately **March 14, 2029**, not February 27, 2030. The `release.yml` automation will roll this date forward on the *next* Release Please PR, so the current release will ship with a license date that does not match the stated policy.
Consider triggering the date update as part of this PR itself (or noting explicitly in `docs/licensing.md` that the 3-year policy takes effect from the *next* release), so users reading the LICENSE today are not confused by the discrepancy between what the file says and what all the documentation promises.
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: 8f53b02 |
- Add "and contractors" to employee threshold in README, CHANGELOG, landing page, and licensing docs (matches LICENSE wording) - Replace "Open Source" with "Source Available" in landing page hero and section heading (BSL is not OSI open-source) - Tighten "Free in Production" bullets to match LICENSE qualifiers (affiliates, non-competing clause, link to full terms) - Use "Conditional" instead of "Contact us" in licensing.md table - Exact-match CLA sign comment in cla.yml (was substring match) - Add grep guard after sed in release.yml to fail loudly if Change Date pattern doesn't match - Add inline comment on hardcoded RP branch name in release.yml
The Source Available section repeated license info already covered by License & Usage. Move GitHub star/fork buttons and docs link into the License & Usage section and remove the duplicate.
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/cla-signatures.json:
- Around line 1-3: Remove the pre-created file .github/cla-signatures.json so
the contributor-assistant/github-action can manage CLA signatures itself; delete
the file from the repo (undo the added empty "signedContributors" array) and
rely on the action to create and update it automatically during CI.
In @.github/workflows/cla.yml:
- Around line 3-7: The checkout step using actions/checkout (the step that
checks out main under the pull_request_target workflow and runs with
permissions: contents: write) should explicitly set persist-credentials: false
to avoid persisting GITHUB_TOKEN credentials; update the checkout step (the
uses: actions/checkout@... step) to include persist-credentials: false so
credentials are not stored for subsequent steps when using contents: write.
In @.github/workflows/release.yml:
- Around line 28-33: The checkout step using actions/checkout (uses:
actions/checkout@de0fac2e450...) is persisting the PAT in the job git config;
update the step to avoid leaving credentials by adding persist-credentials:
false and then switch push operations to SSH (preferred) or configure an SSH key
via actions/checkout + ssh-agent so pushes use the SSH remote; alternatively, if
you must use the token for fetch, keep token: ${{ secrets.RELEASE_PLEASE_TOKEN
}} but set persist-credentials: false and ensure subsequent git push uses SSH
auth (configure ssh-agent/setup-ssh) rather than the persisted PAT.
In `@docs/licensing.md`:
- Line 29: Update the sentence that currently reads "**Every version
automatically converts to Apache 2.0** — on the Change Date or 4 years after
release, whichever comes first" to remove confusion by either (A) simplifying to
state only the 3-year Change Date (e.g., "on the Change Date, which for SynthOrg
is 3 years after release") or (B) explicitly stating that SynthOrg sets the
Change Date to 3 years so the BSL 1.1 four-year backstop will not apply; apply
the same clarification to the similar block referenced (lines 96-108).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: df262f87-d36f-4933-b684-6d951d03f830
📒 Files selected for processing (13)
.github/CHANGELOG.md.github/CONTRIBUTING.md.github/cla-signatures.json.github/workflows/cla.yml.github/workflows/release.ymlCLA.mdCLAUDE.mdLICENSEREADME.mddocs/index.mddocs/licensing.mdmkdocs.ymlsite/src/pages/index.astro
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Agent
- GitHub Check: Greptile Review
🧰 Additional context used
📓 Path-based instructions (2)
docs/**/*.md
📄 CodeRabbit inference engine (CLAUDE.md)
Documentation: Docs source in docs/ (Markdown, built with Zensical), design spec in docs/design/ (7 pages), architecture in docs/architecture/, roadmap in docs/roadmap/, security in docs/security.md, reference in docs/reference/, API reference in docs/rest-api.md, library reference in docs/api/ (auto-generated from docstrings), custom templates in docs/overrides/, config in mkdocs.yml at repo root
Files:
docs/index.mddocs/licensing.md
**/*.{yml,yaml}
📄 CodeRabbit inference engine (CLAUDE.md)
Config files: use YAML company config loading and validation, frozen Pydantic models for config. Load via src/ai_company/config/
Files:
mkdocs.yml
🧠 Learnings (3)
📚 Learning: 2026-03-14T17:38:27.391Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T17:38:27.391Z
Learning: Applies to docs/**/*.md : Documentation: Docs source in docs/ (Markdown, built with Zensical), design spec in docs/design/ (7 pages), architecture in docs/architecture/, roadmap in docs/roadmap/, security in docs/security.md, reference in docs/reference/, API reference in docs/rest-api.md, library reference in docs/api/ (auto-generated from docstrings), custom templates in docs/overrides/, config in mkdocs.yml at repo root
Applied to files:
site/src/pages/index.astromkdocs.ymlCLAUDE.md
📚 Learning: 2026-03-14T17:38:27.391Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T17:38:27.391Z
Learning: Applies to **/*.{yml,yaml} : Config files: use YAML company config loading and validation, frozen Pydantic models for config. Load via src/ai_company/config/
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-14T17:38:27.391Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T17:38:27.391Z
Learning: Pre-commit hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting)
Applied to files:
CLAUDE.md
🪛 GitHub Actions: Workflow Security
.github/cla-signatures.json
[error] 1-1: Process completed with exit code 14.
CLA.md
[error] 1-1: Process completed with exit code 14.
docs/index.md
[error] 1-1: Process completed with exit code 14.
README.md
[error] 1-1: Process completed with exit code 14.
site/src/pages/index.astro
[error] 1-1: Process completed with exit code 14.
.github/CHANGELOG.md
[error] 1-1: Process completed with exit code 14.
docs/licensing.md
[error] 1-1: Process completed with exit code 14.
.github/workflows/cla.yml
[error] 3-7: dangerous triggers: pull_request_target is almost always used insecurely.
[warning] 23-23: Actions checkout: persist-credentials not set to false.
.github/CONTRIBUTING.md
[error] 1-1: Process completed with exit code 14.
.github/workflows/release.yml
[warning] 28-28: Checkout Release PR branch: persist-credentials not set to false.
LICENSE
[error] 1-1: Process completed with exit code 14.
mkdocs.yml
[error] 1-1: Process completed with exit code 14.
CLAUDE.md
[error] 1-1: Process completed with exit code 14.
🪛 LanguageTool
CLA.md
[uncategorized] ~102-~102: The official name of this software platform is spelled with a capital “H”.
Context: ...gnature is stored in this repository at .github/cla-signatures.json. You only need to...
(GITHUB)
docs/licensing.md
[style] ~149-~149: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...contractors and affiliates). No license needed. If your company has 500+ employees, c...
(EN_REPEATEDWORDS_NEED)
CLAUDE.md
[uncategorized] ~265-~265: The official name of this software platform is spelled with a capital “H”.
Context: ... Skips Dependabot. Signatures stored in .github/cla-signatures.json. - Release: `....
(GITHUB)
[uncategorized] ~266-~266: The official name of this software platform is spelled with a capital “H”.
Context: ...kflows (GITHUB_TOKEN cannot). Config in .github/release-please-config.json and `.githu...
(GITHUB)
[uncategorized] ~266-~266: The official name of this software platform is spelled with a capital “H”.
Context: ....github/release-please-config.jsonand.github/.release-please-manifest.json`. After c...
(GITHUB)
🔇 Additional comments (14)
README.md (1)
12-12: License messaging update is clear and consistent with the PR intent.The badge update plus the explicit licensing summary and link improves discoverability for users evaluating usage terms.
Also applies to: 158-158
.github/CHANGELOG.md (1)
6-12: Good release-note coverage for licensing process changes.This section cleanly captures grant narrowing, CLA rollout, docs addition, and release automation updates.
CLAUDE.md (1)
7-7: Operational documentation updates look correct.The licensing reference, CLA workflow note, and release workflow note are well aligned with the implemented process.
Also applies to: 75-75, 265-266
mkdocs.yml (1)
125-125: Navigation update is correct.Adding
Licensingto the docs nav improves discoverability of the new policy page.docs/index.md (1)
133-134: Docs landing-page links are well placed.The license summary and dedicated “Licensing & Usage” pointer make policy navigation much clearer for contributors and users.
LICENSE (1)
8-32: Additional Use Grant rewrite is clear and well-scoped.The updated terms precisely define qualifying production use, commercial-license cases, and non-production allowance while preserving the BSL framework.
site/src/pages/index.astro (3)
16-16: Terminology update is accurate.Changing from "Open Source" to "Source Available" correctly reflects BSL 1.1's status as a source-available license rather than an OSI-approved open-source license.
306-366: License & Usage section is well-structured and accurate.The three-tier breakdown (Always Free / Free in Production / Commercial License) clearly communicates the licensing terms. The content aligns with the Additional Use Grant specified in the PR objectives.
Minor note: The HTML entity
<on line 335 is correctly used for the less-than symbol in "Organizations with <500 employees".
378-378: License references consistently updated.The license description and footer link now point to the dedicated licensing documentation page, which provides a better user experience than linking directly to the raw LICENSE file.
Also applies to: 484-484
.github/CONTRIBUTING.md (1)
143-153: CLA documentation is clear and actionable.The updated section clearly explains the CLA requirement and signing process. The instructions align with the automated workflow and correctly reference the signature storage mechanism.
CLA.md (1)
1-119: CLA document is well-structured and enables the required dual-licensing.The agreement follows the Apache ICLA template pattern and includes the necessary grants:
- Section 2 & 3 provide copyright and patent licenses
- Section 4 explicitly enables dual-licensing (BSL + commercial)
- Section 6 preserves contributor ownership
The signing process (lines 98-105) and Corporate CLA guidance (lines 109-119) are clear and practical.
.github/workflows/cla.yml (2)
15-17: Dependabot skip condition looks correct.The condition properly excludes Dependabot PRs from CLA checks and ensures issue comments only trigger when they contain the CLA acknowledgment phrase.
26-44: CLA action configuration is well-documented and user-friendly.The custom messages provide clear signing instructions. The
use-dco-flag: falseexplicitly disables DCO in favor of CLA, which aligns with the PR objectives.docs/licensing.md (1)
1-171: Comprehensive licensing documentation.This page thoroughly addresses the licensing model with clear explanations, practical examples, and a helpful FAQ. The Quick Summary table at the top is particularly useful for users who need a quick answer. The rationale sections (Why BSL 1.1, Why Not AGPL, 500-Employee Threshold) proactively address common concerns.
| - name: Checkout Release PR branch | ||
| if: steps.release.outputs.pr != '' | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| ref: release-please--branches--main | ||
| token: ${{ secrets.RELEASE_PLEASE_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "actions/checkout@|persist-credentials|RELEASE_PLEASE_TOKEN|git push" .github/workflows/release.ymlRepository: Aureliolo/synthorg
Length of output: 275
🏁 Script executed:
cat -n .github/workflows/release.yml | head -60Repository: Aureliolo/synthorg
Length of output: 2090
🌐 Web query:
GitHub Actions persist-credentials false checkout token inline authentication best practice
💡 Result:
Best practice (vs “inline token in git URL”)
- Prefer
actions/checkout’stoken:input (and/orssh-key) instead of embedding a token in a remote URL.actions/checkoutmanages auth for you and removes it in post-job cleanup; you can opt out of persisting credentials withpersist-credentials: false. [1] - Set
persist-credentials: falseunless later steps truly need to run authenticatedgitcommands (push, fetch private submodules, etc.). Otherwise you’re intentionally making that credential available to subsequent steps in the job. [1] - Use least-privilege permissions for the job’s token (
permissions:) to reduce blast radius if anything in the job is compromised. [2][3] - If you must access a different private repo, use a dedicated secret (PAT) via
token:(or better, a GitHub App token), becausegithub.tokenis scoped to the current repo. [1]
Example (safe default: no persisted git creds)
permissions:
contents: read
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
fetch-depth: 0Example (need to checkout another private repo)
permissions:
contents: read
steps:
- uses: actions/checkout@v6
with:
repository: my-org/my-private-tools
token: ${{ secrets.GH_PAT }}
persist-credentials: falseWhy avoid “inline auth” (e.g., https://x-access-token:...@github.com/...): it’s easy to leak via logs, process listings, or persisted git config/remotes; using token: avoids having to place the credential in the URL at all. [1][2]
Avoid persisting PAT credentials during checkout.
The code checks out with a PAT without persist-credentials: false, leaving the token in git config for the job duration. However, the suggested approach of embedding the token directly in the git push URL is explicitly discouraged by GitHub Actions — credentials in URLs are easier to leak through logs or process listings.
Consider instead:
- Use SSH keys for the checkout and git operations (preferred)
- Or use
token:withpersist-credentials: falseand pair it with SSH authentication for the push
🧰 Tools
🪛 GitHub Actions: Workflow Security
[warning] 28-28: Checkout Release PR branch: persist-credentials not set to false.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 28 - 33, The checkout step using
actions/checkout (uses: actions/checkout@de0fac2e450...) is persisting the PAT
in the job git config; update the step to avoid leaving credentials by adding
persist-credentials: false and then switch push operations to SSH (preferred) or
configure an SSH key via actions/checkout + ssh-agent so pushes use the SSH
remote; alternatively, if you must use the token for fetch, keep token: ${{
secrets.RELEASE_PLEASE_TOKEN }} but set persist-credentials: false and ensure
subsequent git push uses SSH auth (configure ssh-agent/setup-ssh) rather than
the persisted PAT.
…meline - Remove .github/cla-signatures.json — contributor-assistant/github-action auto-creates it on first signing - Clarify 3-year vs 4-year conversion in docs/licensing.md — our Change Date (3 years) always applies before the BSL 4-year backstop Skipped findings: - cla.yml persist-credentials: already set to false - release.yml persist-credentials: must remain true for git push to release PR branch (documented via zizmor suppression)
Inline zizmor comments only work on the line immediately before the finding. Move dangerous-triggers (cla.yml) and artipacked (release.yml) suppressions to the .zizmor.yml config file where they are reliably applied.
There was a problem hiding this comment.
Pull request overview
This PR updates SynthOrg’s licensing posture and contributor workflow by clarifying BSL 1.1 “source-available” messaging across the site/docs, introducing a Contributor License Agreement (CLA) with automated enforcement, and adding release automation to keep the BSL Change Date current.
Changes:
- Update website + docs + README to describe BSL 1.1 as “source available” and document permitted usage.
- Add
docs/licensing.md(rationale/FAQ) andCLA.md, plus a newcla.ymlworkflow to enforce CLA signatures. - Extend the release workflow to automatically update the BSL Change Date as part of release PRs (and adjust zizmor ignores accordingly).
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
site/src/pages/index.astro |
Updates homepage copy and adds a “License & Usage” section linking to the new licensing docs. |
README.md |
Adjusts license messaging (badge + license section) and links to licensing docs. |
mkdocs.yml |
Adds the new licensing page to the docs navigation. |
LICENSE |
Updates the BSL Additional Use Grant terms to allow certain production usage under conditions. |
docs/licensing.md |
New licensing rationale/FAQ page describing allowed usage and CLA rationale. |
docs/index.md |
Adds links/summary for licensing and usage documentation. |
CLAUDE.md |
Updates repo meta/docs index and notes CLA/release behaviors. |
CLA.md |
New Contributor License Agreement document. |
.zizmor.yml |
Suppresses specific zizmor findings for CLA and release workflows with rationale comments. |
.github/workflows/release.yml |
Adds automation to update the BSL Change Date when release PRs are created/updated. |
.github/workflows/cla.yml |
New CLA enforcement workflow using contributor-assistant/github-action. |
.github/CONTRIBUTING.md |
Updates contributing guidelines to reflect license + CLA requirement. |
.github/CHANGELOG.md |
Adds changelog notes describing licensing/CLA/release automation changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if: steps.release.outputs.pr != '' | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| ref: release-please--branches--main # must match the repo default branch name | ||
| token: ${{ secrets.RELEASE_PLEASE_TOKEN }} | ||
|
|
||
| - name: Update BSL Change Date (release + 3 years) | ||
| if: steps.release.outputs.pr != '' |
README.md
Outdated
| ## License | ||
|
|
||
| [Business Source License 1.1](LICENSE) — converts to Apache 2.0 on 2030-02-27. | ||
| [Business Source License 1.1](LICENSE) — free production use for non-competing organizations with fewer than 500 employees and contractors. Converts to Apache 2.0 on 2030-02-27. See [licensing details](https://synthorg.io/docs/licensing/) for the full rationale and what's permitted. |
docs/index.md
Outdated
|
|
||
| - [GitHub Repository](https://github.com/Aureliolo/synthorg) | ||
| - [License](https://github.com/Aureliolo/synthorg/blob/main/LICENSE) (BSL 1.1 → Apache 2.0 on 2030-02-27) | ||
| - [License](https://github.com/Aureliolo/synthorg/blob/main/LICENSE) (BSL 1.1, source available — free production use for non-competing small orgs → Apache 2.0 on 2030-02-27) |
CLAUDE.md
Outdated
| - **What**: Framework for building synthetic organizations — autonomous AI agents orchestrated as a virtual company | ||
| - **Python**: 3.14+ (PEP 649 native lazy annotations) | ||
| - **License**: BUSL-1.1 (converts to Apache 2.0 on 2030-02-27) | ||
| - **License**: BUSL-1.1 with narrowed Additional Use Grant (free production use for non-competing small orgs; converts to Apache 2.0 on 2030-02-27) |
| - **Source code is public** — you can read, fork, modify, and redistribute it | ||
| - **Non-production use is unrestricted** — learning, research, testing, evaluation, contributing | ||
| - **Production use is governed by the Additional Use Grant** — our grant is deliberately permissive (see below) | ||
| - **Every version automatically converts to Apache 2.0** — SynthOrg sets the Change Date to 3 years after each release (the BSL 1.1 terms also include a 4-year backstop, but our shorter Change Date always applies first) |
The Change Date auto-updates with each release, so hardcoding "2030-02-27" in README, CLAUDE.md, and docs/index.md would go stale. Use "three years after release" instead. Also: add GNU date comment in release.yml, clarify hackathon FAQ in docs/licensing.md.
| name: CLA Signature Check | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'dependabot[bot]') || |
There was a problem hiding this comment.
Missing bot/owner allowlist — CLA bot will fire on Release Please PRs
The only excluded actor is dependabot[bot], but Release Please also opens PRs to main — under RELEASE_PLEASE_TOKEN. If that token is a PAT, the CLA action will run against the PAT owner's GitHub account, prompting them (via bot comment) to sign the CLA on every release PR. If it is a GitHub App token, the action will attempt to check the app identity, which cannot sign.
contributor-assistant/github-action exposes an allowlist parameter for exactly this purpose. It accepts a comma-separated list of GitHub usernames (and supports wildcard *bot* patterns). Without it, every Release Please PR, plus any PR opened by the repo owner, generates an unnecessary CLA-unsigned comment.
| (github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'dependabot[bot]') || | |
| if: | | |
| (github.event_name == 'pull_request_target' && | |
| github.event.pull_request.user.login != 'dependabot[bot]' && | |
| !endsWith(github.event.pull_request.user.login, '[bot]')) || | |
| (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') |
Or, preferably, pass an allowlist to the action itself so the logic lives in one place:
with:
# …existing params…
allowlist: Aureliolo,github-actions[bot],release-please[bot]Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/cla.yml
Line: 16
Comment:
**Missing bot/owner allowlist — CLA bot will fire on Release Please PRs**
The only excluded actor is `dependabot[bot]`, but Release Please also opens PRs to `main` — under `RELEASE_PLEASE_TOKEN`. If that token is a PAT, the CLA action will run against the PAT owner's GitHub account, prompting them (via bot comment) to sign the CLA on every release PR. If it is a GitHub App token, the action will attempt to check the app identity, which cannot sign.
`contributor-assistant/github-action` exposes an `allowlist` parameter for exactly this purpose. It accepts a comma-separated list of GitHub usernames (and supports wildcard `*bot*` patterns). Without it, every Release Please PR, plus any PR opened by the repo owner, generates an unnecessary CLA-unsigned comment.
```suggestion
if: |
(github.event_name == 'pull_request_target' &&
github.event.pull_request.user.login != 'dependabot[bot]' &&
!endsWith(github.event.pull_request.user.login, '[bot]')) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')
```
Or, preferably, pass an `allowlist` to the action itself so the logic lives in one place:
```yaml
with:
# …existing params…
allowlist: Aureliolo,github-actions[bot],release-please[bot]
```
How can I resolve this? If you propose a fix, please make it concise.## Summary Follow-up to #408. Fixes CLA enforcement failure (branch protection blocked signature commits) and moves 3 files out of the repo root. - **Fix CLA signature storage**: `branch: main` → `branch: cla-signatures` (unprotected orphan branch, auto-created in this PR) - **Move `CLA.md`** → `.github/CLA.md` (GitHub community files convention) - **Move `DESIGN_SPEC.md`** → `docs/DESIGN_SPEC.md` (it's a docs pointer file) - **Move `.zizmor.yml`** → `.github/.zizmor.yml` (CI config belongs in .github) - Update all references across workflows, CLAUDE.md, README, CONTRIBUTING, licensing docs, getting_started, and 4 skill files ## Test plan - [x] All pre-commit hooks pass - [x] `cla-signatures` orphan branch created and pushed to remote - [x] Docs-consistency agent: zero stale references found - [x] Infra-reviewer agent: zizmor config path works, CLA branch confirmed needed - [x] CONTRIBUTING.md → CLA.md relative link verified (both in .github/) - [x] Verified no remaining root-level references to moved files ## Review coverage Pre-reviewed by 2 agents (docs-consistency, infra-reviewer). 1 finding addressed (create orphan branch before merge).
🤖 I have created a release *beep* *boop* --- ## [0.2.0](v0.1.4...v0.2.0) (2026-03-15) ##First probably usable release? Most likely not no and everything will break ### Features * add /get/ installation page for CLI installer ([#413](#413)) ([6a47e4a](6a47e4a)) * add cross-platform Go CLI for container lifecycle management ([#401](#401)) ([0353d9e](0353d9e)), closes [#392](#392) * add explicit ScanOutcome signal to OutputScanResult ([#394](#394)) ([be33414](be33414)), closes [#284](#284) * add meeting scheduler, event-triggered meetings, and Go CLI lint fixes ([#407](#407)) ([5550fa1](5550fa1)) * wire MultiAgentCoordinator into runtime ([#396](#396)) ([7a9e516](7a9e516)) ### Bug Fixes * CLA signatures branch + declutter repo root ([#409](#409)) ([cabe953](cabe953)) * correct Release Please branch name in release workflow ([#410](#410)) ([515d816](515d816)) * replace slsa-github-generator with attest-build-provenance, fix DAST ([#424](#424)) ([eeaadff](eeaadff)) * resolve CodeQL path-injection alerts in Go CLI ([#412](#412)) ([f41bf16](f41bf16)) ### Refactoring * rename package from ai_company to synthorg ([#422](#422)) ([df27c6e](df27c6e)), closes [#398](#398) ### Tests * add fuzz and property-based testing across all layers ([#421](#421)) ([115a742](115a742)) ### CI/CD * add SLSA L3 provenance for CLI binaries and container images ([#423](#423)) ([d3dc75d](d3dc75d)) * bump the major group with 4 updates ([#405](#405)) ([20c7a04](20c7a04)) ### Maintenance * bump github.com/spf13/cobra from 1.9.1 to 1.10.2 in /cli in the minor-and-patch group ([#402](#402)) ([e31edbb](e31edbb)) * narrow BSL Additional Use Grant and add CLA ([#408](#408)) ([5ab15bd](5ab15bd)), closes [#406](#406) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Summary
contributor-assistant/github-actionwith signatures stored in-repodocs/licensing.md— full rationale page: why BSL over AGPL/MIT, what's permitted, 500-employee threshold reasoning, automatic Apache 2.0 conversion, CLA explanation, FAQ, and invitation for feedbackWhat this does NOT change
BUSL-1.1BUSL-1.1Test plan
grepacross entire repo)actions/checkoutSHA matches v6 (consistent with all other workflows)contributor-assistant/github-actionadded to GitHub Actions allowlistReview coverage
Pre-reviewed by 3 agents (docs-consistency, infra-reviewer, issue-resolution-verifier). 5 findings addressed:
docs/licensing.mdentryactions/checkoutv4 → v6 in cla.yml and release.ymlLC_TIME=C) in release.yml date computationCloses #406