From 46ed9a8b3c78f1083f51364c3b04b60162a26db3 Mon Sep 17 00:00:00 2001
From: Otto-AGPT <otto@agpt.co>
Date: Fri, 6 Feb 2026 19:34:36 +0000
Subject: [PATCH] fix: address CodeRabbit review feedback

- Add checks:read permission for Checks API fallback
- Validate timing env vars (fail fast on NaN, warn on bad order)
- Remove unused prNumber param from getClaStatus()
---
 .github/workflows/cla-label-sync.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cla-label-sync.yml b/.github/workflows/cla-label-sync.yml
index b8603eccd0..d262b5ad4b 100644
--- a/.github/workflows/cla-label-sync.yml
+++ b/.github/workflows/cla-label-sync.yml
@@ -24,6 +24,7 @@ permissions:
   pull-requests: write
   contents: read
   statuses: read
+  checks: read
 
 env:
   CLA_CHECK_NAME: 'license/cla'
@@ -80,10 +81,19 @@ jobs:
             const CLOSE_WARNING_DAYS = parseInt(process.env.CLOSE_WARNING_DAYS);
             const CLOSE_DAYS = parseInt(process.env.CLOSE_DAYS);
             
+            // Validate timing configuration
+            if ([REMINDER_DAYS, CLOSE_WARNING_DAYS, CLOSE_DAYS].some(Number.isNaN)) {
+              core.setFailed('Invalid timing configuration — REMINDER_DAYS, CLOSE_WARNING_DAYS, and CLOSE_DAYS must be numeric.');
+              return;
+            }
+            if (!(REMINDER_DAYS < CLOSE_WARNING_DAYS && CLOSE_WARNING_DAYS < CLOSE_DAYS)) {
+              core.warning(`Timing order looks odd: REMINDER(${REMINDER_DAYS}) < WARNING(${CLOSE_WARNING_DAYS}) < CLOSE(${CLOSE_DAYS}) expected.`);
+            }
+            
             const CLA_SIGN_URL = `https://cla-assistant.io/${context.repo.owner}/${context.repo.repo}`;
             
-            // Helper: Get CLA status for a PR
-            async function getClaStatus(prNumber, headSha) {
+            // Helper: Get CLA status for a commit
+            async function getClaStatus(headSha) {
               // CLA-assistant uses the commit status API (not checks API)
               const { data: statuses } = await github.rest.repos.getCombinedStatusForRef({
                 owner: context.repo.owner,
@@ -202,7 +212,7 @@ jobs:
                   continue;
                 }
                 
-                const claStatus = await getClaStatus(prNumber, pr.head.sha);
+                const claStatus = await getClaStatus(pr.head.sha);
                 const currentLabels = pr.labels.map(l => l.name);
                 const hasPending = currentLabels.includes(LABEL_PENDING);
                 const hasSigned = currentLabels.includes(LABEL_SIGNED);