DCO2 is a GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests.
It aims to be a drop-in replacement for dcoapp/app.
Warning
This application is still in beta state. We expect it to be working mostly fine, but it has not been battle tested yet, so it is likely that there are some bugs to be found. If you notice anything that does not work as expected, please report it by creating a new issue in this repository.
To start using the DCO2 application, you need to configure the application for your organization or repositories. To enforce the DCO check, you can enable required status checks in your branch protection settings.
The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
Contributors sign-off that they adhere to these requirements by adding a Signed-off-by line to commit messages.
Commit message
Signed-off-by: User1 <user1@email.test>
Git includes a -s command line option to append this line automatically to your commit message (provided you have configured your user.name and user.email in your git configuration):
git commit -s -m 'Commit message'
Once installed, this application will create a check indicating whether or not all commits in a Pull Request contain a valid Signed-off-by line.
More information about the check result is available on the check details page. This information includes a full list of the commits checked (including the reason why each of them passed or failed the check), some additional details about each error found and some instructions on how to fix them.
(check passed details)
(check failed details)
Remediation commits allow applying a sign-off retroactively to one or more commits that failed the DCO check.
The primary benefit of using remediation commits to fix missing or invalid sign-offs, is that the repository's history does not change, and there is no risk of breaking someone else's work.
Remediation commits can be individual or third-party, and they must be properly signed off.
By default, both are disabled, but they can be enabled in the configuration file (.github/dco.yml):
allowRemediationCommits:
individual: true
thirdParty: trueNote
The DCO2 configuration file is backwards compatible with the dcoapp/app configuration file. Note that third-party remediation requires individual remediation to be enabled in the configuration as well.
Individual remediation commits must be authored by the same person who authored the failing commit.
An individual remediation commit to add a sign-off to two commits created by User1 would look like this:
DCO remediation commit for User1 <user1@email.test>
I, User1 <user1@email.test>, hereby add my Signed-off-by to this commit: <COMMIT1_SHA>
I, User1 <user1@email.test>, hereby add my Signed-off-by to this commit: <COMMIT2_SHA>
Signed-off-by: User1 <user1@email.test>
Third-party remediation commits must be authored by an authorized individual on behalf of the failing commit's author.
Important
If you are about to add a third-party DCO remediation commit under DCO section (b) or (c), be sure you are authorized by your employer to take this action. Generally speaking, maintainers and other project contributors cannot sign off on behalf of project contributors, unless there is some relationship which permits this action. It is your responsibility to verify this.
A third-party remediation commit to add a sign-off to two commits created by User1 would look like this:
Third-party DCO remediation commit for User1 <user1@email.test>
On behalf of User1 <user1@email.test>, I, user2 <user2@email.test>, hereby add my Signed-off-by to this commit: <COMMIT1_SHA>
On behalf of User1 <user1@email.test>, I, user2 <user2@email.test>, hereby add my Signed-off-by to this commit: <COMMIT2_SHA>
Signed-off-by: User2 <user2@email.test>
It is possible to disable the check for commits authored and signed by members of the organization the repository belongs to.
By default, this feature is disabled. To enable it, the following section must be added to the configuration file (.github/dco.yml):
require:
members: falseWhen this setting is present on a repository that belongs to a single user (instead of an organization), only the repository owner is allowed to push commits without a sign-off.
We'll soon provide some documentation about how to deploy your own instance of DCO2.
Please see CONTRIBUTING.md for more details.
This project follows the CNCF Code of Conduct.
DCO2 is an Open Source project licensed under the Apache License 2.0.