Skip to content
/ app Public

GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests

License

Notifications You must be signed in to change notification settings

dcoapp/app

Repository files navigation

Probot: DCO

a GitHub Integration built with probot that enforces the Developer Certificate of Origin (DCO) on Pull Requests. It requires all commit messages to contain the Signed-off-by line with an email address that matches the commit author.

Usage

Configure the integration for your organization or repositories. Enable required status checks if you want to enforce the DCO on all commits.

See docs/deploy.md if you would like to run your own instance of this plugin.

Modes of operations

Default

By default, Probot DCO enforces the presence of valid DCO signoffs on all commits (excluding bots and merges). If a PRs contains commits that lack a valid Signed-off-by line, they are blocked until a correctly signed-off revision of the commit is pushed. This closely mirrors the upstream Linux kernel process.

Individual remediation commit support

Optionally, a project can allow individual remediation commit support, where the failing commit's author can push an additional properly signed-off commit with additional text in the commit log that indicates they apply their signoff retroactively.

To enable this, place the following configuration file in .github/dco.yml on the default branch:

allowRemediationCommits:
  individual: true

Third-party remediation support

Additionally, a project can allow third-parties to sign off on an author's behalf by pushing an additional properly signed-off commit with additional text in the commit log that indicates they sign off on behalf of the author. Third-party remediation requires individual remediation to be enabled.

To enable this, place the following configuration file in .github/dco.yml on the default branch:

allowRemediationCommits:
  individual: true
  thirdParty: true

Skipping sign-off for organization members

It is possible to disable the check for commits authored and signed by members of the organization the repository belongs to. To do this, place the following configuration file in .github/dco.yml on the default branch:

require:
  members: false

When this setting is present on a repository that belongs to a GitHub user (instead of an organization), only the repository owner is allowed to push commits without sign-off.

How it works

The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO, reformatted for readability:

By making a contribution to this project, I certify that:

a. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

b. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

c. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

d. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

Contributors sign-off that they adhere to these requirements by adding a Signed-off-by line to commit messages.

This is my commit message

Signed-off-by: Random J Developer <random@developer.example.org>

Git even has a -s command line option to append this automatically to your commit message:

$ git commit -s -m 'This is my commit message'

Once installed, this integration will create a check indicating whether or not commits in a Pull Request do not contain a valid Signed-off-by line.

DCO success DCO failure

Additionally, the DCO creates an override button accessible to only those with write access to the repository to create a successful check.

DCO button

Further Reading

If you want to learn more about the DCO and why it might be necessary, here are some good resources: