DEV Community

Deek Roumy
Deek Roumy

Posted on

The Hidden CLA Trap: Why Your Open Source PR Gets Silently Closed (And How to Check Before You Waste Hours)

#opensourcebeginnersgithubgit

You spend three hours reading through a codebase. You find the bug, understand the pattern, write the fix, test it, craft a clean commit message. You open the PR. You wait.

Then a bot closes it. No explanation. Just closed.

That's the CLA trap. And it happens to developers at every level, constantly, silently.

What Is a CLA?

A Contributor License Agreement (CLA) is a legal document that a contributor must sign before their code can be accepted into a project. By signing, you grant the project (or company behind it) the right to use, modify, and redistribute your contribution.

Companies require CLAs for legitimate reasons:

  • Legal protection — They need to know they have rights to merge your code without IP complications later
  • License compatibility — Ensures they can relicense the project if needed (common in dual-license models)
  • Enterprise safety — Large companies (Microsoft, Google) need clean provenance on every line of code

CLAs are especially common in corporate-backed open source projects: the code is public, but a company owns it and maintains commercial products on top.

How PRs Get Silently Closed

Here's the painful part: most CLA-protected repos use automated bots (CLA-bot, DCO bot, or custom automation). The flow looks like this:

  1. You open a PR
  2. A bot comments: "Please sign the CLA before we can review this"
  3. If you don't sign within a few days — or never see the bot comment — the PR auto-closes
  4. Sometimes there's no comment at all. Just closed.

The "silently closed" scenario is more common than you'd think. If you're watching many repos, you might miss the bot comment. Or the project's CLA link is broken. Or the bot just... closes it with a generic message that doesn't explain why.

The result: hours of work, nothing to show for it, and no idea what went wrong.

The 5-Second Check BEFORE You Write Code

This is the check that saves you. Do it before cloning, before reading the issue, before writing a single line.

1. Check the CONTRIBUTING.md:

curl -s https://raw.githubusercontent.com/OWNER/REPO/main/CONTRIBUTING.md | grep -i "CLA\|contributor license\|sign"
Enter fullscreen mode Exit fullscreen mode

2. Check for a CLA file in the repo root:

# Look for CLA.md, CLA.txt, CONTRIBUTOR_LICENSE_AGREEMENT, etc.
curl -s https://api.github.com/repos/OWNER/REPO/contents | grep -i "cla\|contributor"
Enter fullscreen mode Exit fullscreen mode

3. Check for CLA bot config:
CLA-assistant and similar bots leave .claassistant.yml or similar in the root.

4. Search issues and closed PRs:
Go to GitHub → Issues → search "CLA" or "contributor license". If CLAs are enforced, you'll see bot comments quickly.

5. Grep recent closed PRs:
Filter PRs by "closed" and look at why. If you see bot messages about CLA in the first results, it's required.

Total time: under 30 seconds. Skip this check and you might lose hours.

Major Repos That Require CLA

These are repos where CLA is mandatory before any contribution is accepted:

Microsoft projects:

  • VS Code
  • TypeScript
  • .NET Runtime
  • Azure SDKs

Google projects:

  • Angular
  • TensorFlow
  • Go (Golang)
  • Flutter

Other major ones:

  • asyncapi/spec — Uses CLA Assistant. Sign at cla-assistant.io
  • forgecode and other emerging AI coding tools
  • Apache projects — Apache CLA (ICLA) required for all
  • Eclipse Foundation projects — ECA (Eclipse Contributor Agreement)
  • Facebook/Meta — Custom CLA for React, Relay, etc.

The common thread: If a major company or foundation is behind the project, assume CLA until proven otherwise.

Repos That DON'T Require CLA (Contribute Freely)

These projects use the DCO (Developer Certificate of Origin) instead — a simple sign-off in your commit message, not a separate legal agreement:

  • Linux Kernel — DCO only (git commit -s)
  • GitLab — DCO
  • Most indie/community projects — No CLA, no DCO even
  • Projects on Codeberg or self-hosted Forgejo — Typically CLA-free

Good hunting grounds for CLA-free contributions:

  • Look for repos with DCO in CONTRIBUTING.md
  • Pure community projects without corporate backing
  • Projects using AGPL or GPL license (less common to have CLAs)
  • Repos where maintainers are individuals, not companies

Bounty platforms like Opire and Algora list repos — check the CONTRIBUTING.md before picking up any issue.

Full Pre-Flight Checklist Before Any Open Source Contribution

Save this. Run through it before touching any new repo:

Legal check (30 seconds):

  • [ ] Does CONTRIBUTING.md mention CLA?
  • [ ] Is there a CLA file in the root?
  • [ ] Search issues for "CLA" — any bot comments on closed PRs?
  • [ ] Is this a corporate-backed project? If yes, assume CLA until proven otherwise.

Process check (2 minutes):

  • [ ] Is the issue still open?
  • [ ] Is there an existing PR already addressing this?
  • [ ] Does the project require issue assignment before PR? (Expensify does — learned this the hard way)
  • [ ] Is the maintainer active? (Check: merged PR in the last 30 days)

Scope check (5 minutes):

  • [ ] Read CONTRIBUTING.md fully — any style requirements? Test requirements?
  • [ ] Is the fix in scope, or is this a "won't fix" type of change?
  • [ ] Any open discussions about this exact issue in comments?

If CLA is required:

  • [ ] Sign it FIRST, before writing any code
  • [ ] Confirm the signature went through (most use cla-assistant.io — check your account)
  • [ ] Some CLAs require corporate approval if you're employed — check your employer's OSS policy

The Real Lesson

The CLA trap is frustrating because it's invisible until it hits you. The bot closes your PR with no empathy, no acknowledgment of the work you did. It's just process, cold and automated.

But once you know the pattern, it's easy to route around. The 5-second check becomes muscle memory. You'll stop picking up bounties on repos with CLAs you haven't signed. You'll stop contributing to projects where the process overhead isn't worth the effort.

Open source contribution is still worth it — for the learning, the visibility, and yes, the occasional bounty payout. Just don't let a legal formality waste your afternoon without warning.

Check first. Always.

I'm building an AI agent that hunts GitHub bounties autonomously. Follow along as I document everything — the wins, the failed PRs, and the lessons learned the hard way.

Top comments (0)