github-action icon indicating copy to clipboard operation
github-action copied to clipboard
verified publisher icon contributor-assistant

[Question] How to handle deleted / edited comments?

Open vHanda opened this issue 4 years ago • 11 comments

Hi. From what I understand this bot will make a commit adding a json file with the following info -

{
  "name": "ibakshay",
  "id": 2423423,
  "comment_id": 534534,
  "repoId": 5433,
  "pullRequestNo": 656,
  "createdAt": "2021-01-22T11:13:02Z"
}

How does this handle the case if the comment is later deleted by the user or edited and the older version is deleted?

vHanda avatar Jan 22 '21 11:01 vHanda

Hi @vHanda, Thank you for reaching out to us. Are you asking about the signature comment from the contributor ?

Screenshot 2021-01-24 at 18 55 44

ibakshay avatar Jan 24 '21 17:01 ibakshay

Hi @ibakshay . Yes. I'm not sure how this works if the signature comment is deleted or edited.

vHanda avatar Jan 24 '21 18:01 vHanda

It is a very good question. Unfortunately, this bot doesn't handle this use case yet. So, the CLA GitHub Action workflow won't be triggered If the signature comment from the contributor is deleted or edited. One thing a project admin can do is to directly check on the GitHub UI or with GitHub API If the signature comment is edited. However, that is not possible If the contributor deletes the signature comment. That is not a good sign.

If you have any idea/thoughts on handling this edge case then feel free to pitch in :) .

Screenshot 2021-01-24 at 18 41 30

ibakshay avatar Jan 24 '21 18:01 ibakshay

Do you know how the normal cla-assistant handles this case?

--

One way to solve it could be to require the user to also post the digital signature (using pgp) in the comment. And requiring the user to have their public key on a pgp key-exchange server. Or maybe use something like keybase.

What worries me about all these solutions is that I don't know what is or isn't legally acceptable. Especially in different countries.

vHanda avatar Jan 24 '21 18:01 vHanda

Do you know how the normal cla-assistant handles this case? In normal CLA instance, the contributors will be navigated to a seperate web page and contributors will sign with the click of a button.

One way to solve it could be to require the user to also post the digital signature (using pgp) in the comment. And requiring the user to have their public key on a pgp key-exchange server. Or maybe use something like keybase.

Sounds interesting to me. I will dig deeper into this topic to get further insights. The main idea of CLA assistant lite is to reduce the complexity and to keep things as simple as possible. So, we need to make sure it doesn't get complex.

Also, I forgot to mention before. This CLA assistant lite bot wil also automatically, by default, lock the pull request conversation soon after a pull request is merged.

So, the contributor won't be able to edit/delete the signature comments.

Screenshot 2021-01-26 at 17 04 30

I think this feature answers your question to some extent.

ibakshay avatar Jan 26 '21 16:01 ibakshay