clockworklabs · clockwork-labs-bot · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
@@ -0,0 +1,50 @@
+name: Retry CLA Assistant
+
+# CLA Assistant publishes `license/cla` as a commit status, not a check run.
+# If its webhook handler misses a PR update, GitHub branch protection can wait
+# forever even after every real CI check has passed. This workflow nudges CLA
+# Assistant only when that status is the sole remaining non-green signal.
+#
+# SECURITY: This workflow uses pull_request_target so it can inspect PR status
+# for forks. It checks out trusted default-branch code only; it must never check
+# out, build, or execute code from the PR head.
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+  workflow_run:
+    types: [completed]
+  schedule:
+    - cron: "7,22,37,52 * * * *"
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "Pull request number to check"
+        required: true
+        type: number
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  pull-requests: read
+  statuses: read
+
+jobs:
+  retry-cla:
+    name: Retry CLA Assistant if it is the only blocker
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out trusted base code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - uses: dsherret/rust-toolchain-file@v1
+
+      - name: Recheck CLA Assistant
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_PR_NUMBER: ${{ inputs.pr_number }}
+        run: cargo ci retry-cla-assistant
diff --git a/Cargo.lock b/Cargo.lock
@@ -9,7 +9,8 @@ anyhow.workspace = true
 chrono = { workspace = true, features=["clock"] }
 clap.workspace = true
 regex.workspace = true
-reqwest = { workspace = true, features = ["blocking"] }
+reqwest = { workspace = true, features = ["blocking", "json"] }
+serde.workspace = true
 serde_json.workspace = true
 duct.workspace = true
 tempfile.workspace = true

@@ -14,6 +14,7 @@ const README_PATH: &str = "tools/ci/README.md";
 
 mod ci_docs;
 mod keynote_bench;
+mod retry_cla_assistant;
 mod smoketest;
 mod util;
 
@@ -367,6 +368,8 @@ enum CiCmd {
     VersionUpgradeCheck,
     /// Builds the docs site.
     Docs,
+    /// Retries CLA Assistant if `license/cla` is the only remaining PR blocker.
+    RetryClaAssistant(retry_cla_assistant::RetryClaAssistantArgs),
 }
 
 fn run_all_clap_subcommands(skips: &[String]) -> Result<()> {
@@ -772,6 +775,10 @@ fn main() -> Result<()> {
             run_docs_build()?;
         }
 
+        Some(CiCmd::RetryClaAssistant(args)) => {
+            retry_cla_assistant::run(args)?;
+        }
+
         None => run_all_clap_subcommands(&cli.skip)?,
     }