Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign.
Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue)
