feat(ci): add DCO sign-off check for pull requests

JasonXuDeveloper · claude · JasonXuDeveloper · commit 7b8b9a120cec · 2026-01-25T15:29:20.000+11:00
Add a GitHub Actions workflow that verifies all commits in a PR
have a 'Signed-off-by' line for Developer Certificate of Origin
compliance.

- Checks all non-merge commits in the PR
- Provides clear error messages with instructions to fix
- Shows which specific commits are missing sign-off

To enforce this check, enable branch protection rules on master
and require the "Verify DCO Sign-off" check to pass.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
Signed-off-by: JasonXuDeveloper - 傑 &lt;jason@xgamedev.net&gt;
diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml
@@ -0,0 +1,81 @@
+name: DCO Check
+
+on:
+  pull_request:
+    branches: [master]
+
+jobs:
+  dco-check:
+    name: Verify DCO Sign-off
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all commits for PR
+
+      - name: Check DCO sign-off on all commits
+        run: |
+          echo "Checking DCO sign-off for all commits in this PR..."
+          echo ""
+
+          # Get the base and head commits
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          # Get list of commits in the PR
+          COMMITS=$(git rev-list --no-merges $BASE_SHA..$HEAD_SHA)
+
+          if [ -z "$COMMITS" ]; then
+            echo "No commits to check."
+            exit 0
+          fi
+
+          FAILED=0
+          TOTAL=0
+
+          for COMMIT in $COMMITS; do
+            TOTAL=$((TOTAL + 1))
+            SUBJECT=$(git log -1 --format="%s" $COMMIT)
+            AUTHOR=$(git log -1 --format="%an <%ae>" $COMMIT)
+
+            # Check for Signed-off-by line
+            if git log -1 --format="%B" $COMMIT | grep -q "^Signed-off-by: "; then
+              echo "✅ $COMMIT: $SUBJECT"
+            else
+              echo "❌ $COMMIT: $SUBJECT"
+              echo "   Author: $AUTHOR"
+              echo "   Missing 'Signed-off-by' line"
+              echo ""
+              FAILED=$((FAILED + 1))
+            fi
+          done
+
+          echo ""
+          echo "----------------------------------------"
+          echo "Total commits checked: $TOTAL"
+          echo "Commits with sign-off: $((TOTAL - FAILED))"
+          echo "Commits missing sign-off: $FAILED"
+          echo "----------------------------------------"
+
+          if [ $FAILED -gt 0 ]; then
+            echo ""
+            echo "❌ DCO check failed!"
+            echo ""
+            echo "All commits must be signed off to certify you have the right to submit"
+            echo "the code under the project's open source license."
+            echo ""
+            echo "To sign off your commits, use the --signoff (or -s) flag:"
+            echo "  git commit -s -m \"your commit message\""
+            echo ""
+            echo "To fix existing commits, you can:"
+            echo "  1. Amend the last commit: git commit --amend -s"
+            echo "  2. Rebase and sign all: git rebase --signoff HEAD~$FAILED"
+            echo ""
+            echo "For more information, see: https://developercertificate.org/"
+            exit 1
+          fi
+
+          echo ""
+          echo "✅ All commits are properly signed off!"
