Skip to content

governance: enforce DCO and document continuity checks#208

Open
TFT444 wants to merge 2 commits into
devfrom
governance/205-dco-continuity
Open

governance: enforce DCO and document continuity checks#208
TFT444 wants to merge 2 commits into
devfrom
governance/205-dco-continuity

Conversation

@TFT444

@TFT444 TFT444 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements the repository-controlled parts of #205.

  • adopts DCO 1.1 as the contribution authorization mechanism
  • adds a dependency-free PR check requiring a valid Signed-off-by trailer on every introduced commit
  • documents contributor sign-off and repair instructions
  • adds the DCO requirement to the pull request checklist
  • adds an owner-verifiable continuity capability matrix and six-month review process
  • adds regression tests for valid, missing, malformed, and mixed commit sign-offs

Validation

  • 3 DCO helper tests pass
  • this PR commit passes the new DCO checker
  • Ruff and formatting pass
  • workflow YAML parses successfully
  • git diff --check passes

Owner confirmation still required

Issue #205 must remain open until an organization owner privately verifies that at least two people can administer issues, merge approved work, publish/recover releases, and recover critical organization/deployment access. Documentation cannot prove that underlying access state.

Advances #205

Signed-off-by: Tanvir Farhad <tamimtarafder12@gmail.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1020 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 6branch protection is not maximal on development and all release branches

Scanned Files

  • .github/workflows/dco.yml

@TFT444
TFT444 requested review from m-khan-97 and removed request for parthrohit22 and ritiksah141 July 16, 2026 15:45
@TFT444 TFT444 self-assigned this Jul 16, 2026

@m-khan-97 m-khan-97 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DCO tooling itself is clean — check_dco.py uses subprocess with list args (no shell injection), reads messages via git show --format=%B, and the regex requires a real name + bracketed email. Tests cover the happy path and malformed trailers. Good, small, well-scoped.

One blocking issue: the check will fail on merge commits.

commits_between() runs git rev-list --reverse BASE..HEAD with no --no-merges, so every commit in the PR range is checked — including merge commits. A git merge origin/dev merge commit has the default message ("Merge remote-tracking branch 'origin/dev'…") with no Signed-off-by, so it fails the check.

This isn't hypothetical: TFT444 merged dev into #161 twice during that PR's review cycle. With this workflow active, those merge commits would have hard-failed the DCO gate, blocking a legitimate PR through no fault of the author's own commits. The standard GitHub DCO app skips merge commits for exactly this reason.

Fix is one line — add --no-merges to the rev-list (and ideally a test asserting a merge commit is skipped). Alternatively, if the team wants to standardize on rebase-only (no merge commits in PRs), that's fine too, but then it should be documented in docs/dco.md so contributors know not to git merge dev.

Non-blocking: heads-up that this makes DCO a required check for everyone going forward — the team (and I, on #188) haven't been using git commit -s, so everyone will need to adopt it. Worth a Discord note when this lands. The docs/dco.md amend/rebase instructions are good for that.

Happy to approve once merge commits are handled.

commits_between() checked every commit in the PR range including merge
commits, which carry Git's own default message and no Signed-off-by
trailer since they aren't the author's own work. This would have
hard-failed the DCO gate on legitimate `git merge origin/dev` commits
(e.g. the two that landed in #161's review cycle) through no fault of
the contributor's own commits — GitHub's own DCO app skips merge
commits for the same reason.

Add --no-merges to the rev-list call and document the exemption in
docs/dco.md so contributors know only their own commits need signing.

Signed-off-by: Tanvir Farhad <tamimtarafder12@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants