adding dco to this check

also updating docs

Signed-off-by: Sean Simmons <ssimmons@progress.com>

Author: sean-sype-simmons

.github/workflows/ci-main-pull-request.yml

@@ -101,6 +101,16 @@ on:
         required: false
         type: string
         default: 'main'
+      perform-dco-check:
+        description: 'Perform DCO (Developer Certificate of Origin) check on pull requests'
+        required: false
+        type: boolean
+        default: true
+      dco-version:
+        description: 'Version of DCO check workflow to use (e.g., main, v1.0.7)'
+        required: false
+        type: string
+        default: 'main'
       perform-language-linting:
         description: 'Perform language-specific linting and pre-compilation checks'
         required: false

.github/workflows/dco-check.yml

@@ -0,0 +1,45 @@
+# DCO (Developer Certificate of Origin) Check
+#
+# Verifies that all commits in a pull request are signed off with DCO
+#
+# See https://developercertificate.org/ for more information about DCO
+
+name: DCO Check
+
+on:
+  workflow_call:
+    inputs:
+      github-event-name:
+        description: 'GitHub event name (pass github.event_name from calling workflow)'
+        required: false
+        type: string
+        default: ''
+
+permissions: {}
+
+jobs:
+  dco_check_job:
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-latest
+    name: DCO Check
+    steps:
+      - name: Skip if not pull request
+        if: ${{ inputs.github-event-name != 'pull_request' && inputs.github-event-name != 'pull_request_target' }}
+        run: |
+          echo "DCO check only runs on pull_request events. Skipping..."
+          exit 0
+      
+      - name: Get PR Commits
+        if: ${{ inputs.github-event-name == 'pull_request' || inputs.github-event-name == 'pull_request_target' }}
+        uses: tim-actions/get-pr-commits@master
+        id: 'get-pr-commits'
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: DCO Check
+        if: ${{ inputs.github-event-name == 'pull_request' || inputs.github-event-name == 'pull_request_target' }}
+        uses: tim-actions/dco@master
+        with:
+          commits: ${{ steps.get-pr-commits.outputs.commits }}

.github/workflows/stubs/ci-main-pull-request-stub.yml

@@ -36,25 +36,43 @@ jobs:
       detect-version-source-parameter: '' # use for file name
       language: 'go'  # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
 
+      # ============================================================================
+      # SUB-WORKFLOW VERSION CONTROL (NEW IN v1.0.7+)
+      # ============================================================================
+      # Pin individual scan/workflow versions for stability. Uncomment to use.
+      # All default to 'main' if not specified. Use 'v1.0.7' format for stable versions.
+      # See: https://github.com/chef/common-github-actions/blob/main/HOW-TO-USE.md#sub-workflow-versioning-new
+      # ============================================================================
+      # scc-version: 'main'                    # Source code complexity checks
+      # dco-version: 'main'                    # Developer Certificate of Origin check
+      # trufflehog-version: 'main'             # Secret scanning (TruffleHog)
+      # grype-version: 'main'                  # Grype source/image scanning
+      # grype-hab-workflow-version: 'main'     # Grype Habitat package scanning
+      # polaris-version: 'main'                # BlackDuck Polaris SAST
+      # sbom-version: 'main'                   # SBOM generation and BlackDuck SCA
+      # quality-dashboard-version: 'main'      # Quality dashboard reporting
+
+      # ============================================================================
+      # SECURITY SCANS & CODE QUALITY
+      # ============================================================================
+      
       # complexity-checks
       perform-complexity-checks: true
-      # scc-version: 'main'  # Version of SCC workflow (main, v1.0.7, etc.)
       # scc-output-filename: 'scc-output.txt'
       perform-language-linting: false    # Perform language-specific linting and pre-compilation checks
 
+      # DCO (Developer Certificate of Origin) check
+      perform-dco-check: true  # Validate commit sign-offs on pull requests
+
       # trufflehog secret scanning
       perform-trufflehog-scan: true
-      # trufflehog-version: 'main'  # Version of Trufflehog workflow (main, v1.0.7, etc.)
 
       # trivy dependency and container scanning
       perform-trivy-scan: true
-      # grype-version: 'main'  # Version of Grype workflow for source/image scans (main, v1.0.7, etc.)
-      # grype-hab-version: 'main'  # Version of Grype Habitat package scan workflow (main, v1.0.7, etc.)
 
       # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
       # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
       perform-blackduck-polaris: true
-      # polaris-version: 'main'  # Version of Polaris SAST workflow (main, v1.0.7, etc.)
       polaris-application-name: "Chef-Chef360"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
       polaris-project-name: ${{ github.event.repository.name }}
       # polaris-blackduck-executable: 'path/to/blackduck/binary'
@@ -87,7 +105,6 @@ jobs:
       perform-docker-scan: false  # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
 
       # report to central developer dashboard
-      # quality-dashboard-version: 'main'  # Version of quality dashboard workflow (main, v1.0.7, etc.)
       report-to-atlassian-dashboard: false
       quality-product-name: 'Chef-360'   # product name for quality reporting, like Chef360, Courier, Inspec
       # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
@@ -111,7 +128,6 @@ jobs:
       publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
 
       # generate and export Software Bill of Materials (SBOM) in various formats
-      # sbom-version: 'main'  # Version of SBOM workflow (main, v1.0.7, etc.)
       generate-sbom: true
       export-github-sbom: true      # SPDX JSON artifact on job instance  
       perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above

HOW-TO-USE.md

@@ -119,6 +119,7 @@ jobs:
     with:
       # Pin individual scan versions
       scc-version: 'v1.0.7'              # Use stable SCC
+      dco-version: 'v1.0.7'              # Use stable DCO check
       trufflehog-version: 'v1.0.7'       # Use stable TruffleHog
       grype-version: 'main'              # Use latest Grype
       grype-hab-workflow-version: 'v1.0.6' # Use older Habitat scan
@@ -136,6 +137,7 @@ jobs:
 
 **Available Version Inputs:**
 - `scc-version` - Source code complexity checks
+- `dco-version` - Developer Certificate of Origin check
 - `trufflehog-version` - Secret scanning
 - `grype-version` - Grype image/source scanning
 - `grype-hab-workflow-version` - Grype Habitat package scanning
@@ -344,6 +346,7 @@ jobs:
 | Input | Type | Default | Description |
 |-------|------|---------|-------------|
 | `perform-complexity-checks` | boolean | `true` | Run SCC complexity checks |
+| `perform-dco-check` | boolean | `true` | Run DCO (Developer Certificate of Origin) check on pull requests |
 | `perform-language-linting` | boolean | `true` | Run language-specific linting |
 | `perform-trufflehog-scan` | boolean | `true` | Run TruffleHog secret scan |
 | `perform-trivy-scan` | boolean | `true` | Run Trivy vulnerability scan |

PIPELINE-REFERENCE.md

@@ -43,6 +43,7 @@ jobs:
 | Input | Workflow | Default | Description |
 |-------|----------|---------|-------------|
 | `scc-version` | scc.yml | `main` | Source code complexity |
+| `dco-version` | dco-check.yml | `main` | Developer Certificate of Origin check |
 | `trufflehog-version` | trufflehog.yml | `main` | Secret scanning |
 | `grype-version` | grype.yml | `main` | Image/source scanning |
 | `grype-hab-workflow-version` | grype-hab-package-scan.yml | `main` | Habitat package scanning |
@@ -142,6 +143,52 @@ graph LR
 
 ---
 
+### **DCO (Developer Certificate of Origin) Check**
+
+**Purpose:** Validates that all commits in a pull request are signed with a Developer Certificate of Origin (DCO), ensuring contributors certify their right to submit the code.
+
+**What it checks:** 
+- Presence of "Signed-off-by" line in commit messages
+- Proper DCO signature format
+- All commits in the pull request have valid DCO sign-offs
+
+**Reporting:**
+- Job status (pass/fail) in GitHub Actions
+- Comments on pull requests indicating which commits are missing DCO signatures
+- Detailed logs available in workflow output
+
+#### Job Mapping
+
+```mermaid
+graph LR
+    A[run-dco-check Job] -->|calls| B[dco-check.yml]
+    B -->|requires| C[Variables]
+    
+    C -->|input| D[github-event-name: string]
+    C -->|version| E[dco-version: string]
+    
+    style A fill:#ffe1e1
+    style B fill:#ffd4d4
+```
+
+**Workflow File:** `chef/common-github-actions/.github/workflows/dco-check.yml@{version}`
+
+**Version Input:**
+- `dco-version` (string) - Version of DCO check workflow to use (e.g., 'main', 'v1.0.7'), default: 'main'
+
+**Required Variables:**
+- `github-event-name` (string) - GitHub event name to determine if this is a pull request event
+
+**Condition:** `inputs.perform-dco-check == true`
+
+**Notes:**
+- Only executes on pull_request events
+- Automatically skipped for push events and other triggers
+- Uses tim-actions/get-pr-commits and tim-actions/dco for validation
+- Contributors can add DCO sign-off using: `git commit -s` or `git commit --signoff`
+
+---
+
 ## Language-Specific Analysis
 
 ### **Linting Tools**
@@ -764,6 +811,7 @@ sequenceDiagram
 | Tool | Type | Primary Use | Workflow File | Output Location |
 |------|------|-------------|---------------|-----------------|
 | SCC | Complexity | Code metrics | scc.yml | GitHub Artifacts |
+| DCO Check | Compliance | Commit sign-off validation | dco-check.yml | Actions Logs/PR Comments |
 | TruffleHog | Secret Scan | Credential detection | trufflehog.yml | Actions Logs |
 | Trivy | Vulnerability | Dependencies & containers | trivy.yml | GitHub Artifacts/Security |
 | BlackDuck Polaris | SAST | Security vulnerabilities | Inline | polaris.blackduck.com |