The CLA checker doesn't handle multiline From:

[levitte]

It was discovered that the CLA checker "succeeded" falsely with openssl/openssl#23632

The CLA checker finds the author id by fetching the patch url (in this case, https://github.com/openssl/openssl/pull/23632.patch) and matching group one from From:.*<(.*)>.

This had me take a close look at the patch url, and found this:

$ curl -k -L -i https://github.com/openssl/openssl/pull/23632.patch
...
From: =?UTF-8?q?Viliam=20Lej=C4=8D=C3=ADk?=
 <34658965+lejcik@users.noreply.github.com>
...

That's a two-line From:, which our cla checker is not at all prepared for. And unfortunately, the logic in the CLA checker is that if a (one-line) From: line hasn't been found, the CLA checker will happily say that a CLA has been found.

This isn't enormously problematic, because a later run of addrev will discover that there is no CLA, and thereby fail to perform. However, this is a bit confusing.

[quarckster]

Do you think it makes sense to parse the webhook payload and get commit data from it?

[levitte]

Do you think it makes sense to parse the webhook payload and get commit data from it?

It does parse the webhook payload to find the patch URL. However, the CLA checker must look at the contents of the patch URL for the following reasons:

• The patch URL may contain more than one patch (one for each commit in the PR)
• Each patch may have a different author, and they must all be checked against the CLA DB
• The patches have the git author ID (as a From: field), which is what we match against the CLA DB. The webhook payload doesn't have this information.