CLA Bot

CLA automation
for GitHub orgs

Install a GitHub App, upload your CLA in Markdown, and every pull request is checked automatically. Signatures are tracked by immutable GitHub ID and SHA-256 content hash. Self-hostable. MIT licensed.

Free and open sourceNext.js + PostgreSQLNo vendor lock-inWorks with merge queues

Three steps to enforce

Setup takes less time than writing the CLA itself.

  1. Install the GitHub App

    Sign in as an org admin, install CLA Bot, and select which repositories to monitor.

  2. Publish your CLA

    Paste your agreement in Markdown. Every version is tracked by its SHA-256 hash.

  3. PRs are checked automatically

    Non-members get signing guidance. Checks update automatically after signature.

Handles the edge cases

Merge queues, bot accounts, policy changes, manual re-checks — covered.

Merge queue support

Auto-passes checks on merge queue commits. Compliance is verified on the PR — queue entries are never blocked.

Bot and app bypass lists

Exempt CI bots, GitHub Apps, and specific users per org. Slug matching treats mybot and mybot[bot] as equivalent.

Automatic PR convergence

Update CLA text, change bypass lists, or toggle enforcement — all open PRs recheck automatically via async workflows.

/recheck command

PR authors, org members, and maintainers re-trigger CLA checks with a comment. Unauthorized users are blocked.

Auditable
by default

Signatures are cryptographically versioned and immutably stored. Both admins and contributors can download records.

No delete endpoints exist for signature data. Records are append-only at the database level.

Append-only history

Signatures cannot be deleted. Every record is preserved with timestamp, hash, and session evidence.

SHA-256 versioning

Each CLA version is identified by its SHA-256 hash. Text changes produce a new hash and trigger re-signing.

Immutable identity binding

Signatures are keyed by GitHub user ID, not username. Renames never break compliance records.

Downloadable by both parties

Contributors download every CLA version they signed. Admins download current and archived versions.

Self-host it. Read every line.

MIT licensed. Deploy on your own infrastructure with full control over data residency. The entire stack is Next.js, PostgreSQL, and Drizzle ORM.

Next.jsPostgreSQLDrizzle ORMGitHub App APIVercel-ready

Org Admin

Manage agreements, view signer history, toggle enforcement, and handle CLA version transitions.

Contributor

Read, sign, and track agreement versions. Re-sign prompts appear automatically when a newer CLA is published.