From f9e9081af3b486f00f12fb01de1da7a3a1b00ee1 Mon Sep 17 00:00:00 2001
From: Alyx Holms <aholms@specterops.io>
Date: Tue, 10 Mar 2026 14:52:22 -0700
Subject: [PATCH 1/2] chore: re-enable CLA signing for external contributors

---
 .github/workflows/cla.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 8b9d8e3..ad235b2 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -2,8 +2,8 @@ name: "CLA Assistant"
 on:
   issue_comment:
     types: [created, edited]
-  pull_request:
-    types: [opened,closed,synchronize]
+  pull_request_target:
+    types: [opened, closed, synchronize]
 
 jobs:
   CLAssistant:
@@ -31,7 +31,7 @@ jobs:
 
           echo "::add-mask::$ALL_MEMBERS"
           echo "org_members=$ALL_MEMBERS" >> $GITHUB_OUTPUT
-        
+
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request'
         uses: contributor-assistant/github-action@v2.2.1

From 1592a2b28f0ac287d2f15beb529d4c49345cadeb Mon Sep 17 00:00:00 2001
From: Alyx Holms <aholms@specterops.io>
Date: Tue, 10 Mar 2026 15:05:00 -0700
Subject: [PATCH 2/2] chore: re-enable CLA signing for external contributors

---
 .github/workflows/cla.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index ad235b2..2c49216 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -5,6 +5,13 @@ on:
   pull_request_target:
     types: [opened, closed, synchronize]
 
+# Recommended permissions scoping for CLA Assistant
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
+  statuses: write
+
 jobs:
   CLAssistant:
     runs-on: ubuntu-latest
@@ -33,8 +40,8 @@ jobs:
           echo "org_members=$ALL_MEMBERS" >> $GITHUB_OUTPUT
 
       - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request'
-        uses: contributor-assistant/github-action@v2.2.1
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.REPO_SCOPE }}