docs(dx): document GPG signing requirement for commits#674
Merged
Conversation
Surfaced during PR #672 review: @jordane confirmed GPG signing is enforced by repo policy, but neither CLAUDE.md nor .claude/rules/commit-workflow.md mentioned it. Both said only DCO sign-off was required, which caused churn during that review. - CLAUDE.md: updated the single-line commit guidance to `git commit --signoff -S` and noted both signatures are enforced. - .claude/rules/commit-workflow.md: added a "Commit Signing" section with one-time GPG setup, the standard commit command, and a signature-verification snippet for branch validation. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
Contributor
|
ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
WalkthroughThis PR updates developer workflow documentation and an enforcer rule to require every commit to include both a DCO sign-off ( ChangesCommit Signing Policy
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates contributor documentation to reflect repository-enforced commit signing requirements (both DCO sign-off and GPG commit signatures), reducing friction during PR reviews and CI validation.
Changes:
- Update
CLAUDE.mdcommit guidance to requiregit commit --signoff -S. - Add a “Commit Signing” section to
.claude/rules/commit-workflow.mdwith GPG setup steps, standard commit command, and a signature-check snippet.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
CLAUDE.md |
Updates the commit guidance line to reflect both DCO and GPG signing requirements. |
.claude/rules/commit-workflow.md |
Adds explicit commit signing setup and verification guidance for contributors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
manishdixitlfx
added a commit
that referenced
this pull request
May 11, 2026
Address review comments from @copilot-pull-request-reviewer: - Step 4 hard checks: replaced the manual prose Signed-off-by check with a single combined verification command that asserts both GPG signature status (`%G?`) and trailer presence per commit via `git log --format='%G? %(trailers:key=Signed-off-by,valueonly...)'` — fail-fast block is now fully actionable rather than partly manual (per @copilot-pull-request-reviewer on line 75) - Step 6 gh pr create: dropped the branch-name fallback for PR title and clarified the title must be `type(scope): description`, lowercase, no JIRA ticket. If the first commit subject doesn't satisfy that, command asks user for a valid title. Prevents PR-title-lint CI failures from branch-name fallbacks like `feat/LFXV2-1697` (per @copilot-pull-request-reviewer on line 124) - Step 6 PR-body checklist: `yarn lint` -> `yarn lint:check`, added `yarn format:check` line, so checklist labels now match the gates actually run in Step 3 (per @copilot-pull-request-reviewer on line 112) Item 4 (false positive on GPG mandate, line 50) is being handled by companion PR #674 which documents the GPG-enforcement policy in CLAUDE.md and .claude/rules/commit-workflow.md. Item 5 (draft-mode contradiction at line 13) deferred pending user direction on whether to implement --draft end-to-end or remove the draft references from $ARGUMENTS interpretation. Resolves 3 of 5 review threads; 1 reply-only (false positive); 1 deferred. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
Address PR #674 review feedback from @copilot-pull-request-reviewer and @jordane. - CONTRIBUTING.md (Sign-off section): renamed to "Sign-off and GPG Signing", expanded to require both --signoff and -S, included one-time GPG config, and pointed at .claude/rules/commit-workflow.md as the canonical policy source (per @copilot-pull-request-reviewer) - .claude/agents/code-standards-enforcer.md (General Rules checklist): updated the commit-signing item to require both --signoff and -S with a cross-reference to commit-workflow.md (per @copilot-pull-request-reviewer) - .claude/rules/commit-workflow.md (verification snippet): relaxed acceptable %G? codes to G or U (good-but-untrusted is fine for policy), documented that N/B/E need investigation, and noted that GitHub's Verified badge is the authoritative post-push check since local %G? depends on which keys are in the user's trust db (per @copilot-pull-request-reviewer and @jordane) Resolves 2 review threads. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
Contributor
Author
Review Feedback AddressedCommit: 4ed1730 Changes Made
Threads Resolved2 of 2 unresolved threads addressed. Follow-up NoteThe |
Contributor
|
@manishdixitlfx I've opened a new pull request, #681, to work on those changes. Once the pull request is ready, I'll request review from you. |
manishdixitlfx
added a commit
that referenced
this pull request
May 11, 2026
Mirrors the verification-snippet relaxation from PR #674 so the /lfx-pr command and the canonical commit-workflow rule stay in sync. - Accept %G? codes G or U (good signature, with U meaning the signing key isn't in the local trust db — fine for policy purposes) - Flag N / B / E as codes needing investigation - Note that GitHub's Verified badge is the authoritative post-push check, since local %G? depends on which keys the user has imported Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
dealako
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Surfaced during PR #672 review: @jordane confirmed GPG signing is
enforced by repo policy, but neither CLAUDE.md nor
.claude/rules/commit-workflow.md mentioned it. Both said only DCO
sign-off was required, which caused churn during that review.
git commit --signoff -Sand noted both signatures are enforced.with one-time GPG setup, the standard commit command, and a
signature-verification snippet for branch validation.
Signed-off-by: Manish Dixit mdixit@linuxfoundation.org