docs(dx): document GPG signing requirement for commits#681
Draft
Copilot wants to merge 3 commits into
Draft
Conversation
Surfaced during PR #672 review: @jordane confirmed GPG signing is enforced by repo policy, but neither CLAUDE.md nor .claude/rules/commit-workflow.md mentioned it. Both said only DCO sign-off was required, which caused churn during that review. - CLAUDE.md: updated the single-line commit guidance to `git commit --signoff -S` and noted both signatures are enforced. - .claude/rules/commit-workflow.md: added a "Commit Signing" section with one-time GPG setup, the standard commit command, and a signature-verification snippet for branch validation. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
Address PR #674 review feedback from @copilot-pull-request-reviewer and @jordane. - CONTRIBUTING.md (Sign-off section): renamed to "Sign-off and GPG Signing", expanded to require both --signoff and -S, included one-time GPG config, and pointed at .claude/rules/commit-workflow.md as the canonical policy source (per @copilot-pull-request-reviewer) - .claude/agents/code-standards-enforcer.md (General Rules checklist): updated the commit-signing item to require both --signoff and -S with a cross-reference to commit-workflow.md (per @copilot-pull-request-reviewer) - .claude/rules/commit-workflow.md (verification snippet): relaxed acceptable %G? codes to G or U (good-but-untrusted is fine for policy), documented that N/B/E need investigation, and noted that GitHub's Verified badge is the authoritative post-push check since local %G? depends on which keys are in the user's trust db (per @copilot-pull-request-reviewer and @jordane) Resolves 2 review threads. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org>
Copilot
AI
changed the title
[WIP] Document GPG signing requirement for commits
docs(dx): document GPG signing requirement for commits
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Neither
CLAUDE.mdnor the commit-workflow rule mentioned GPG signing — only DCO--signoff— causing review churn when unsigned commits were pushed (surfaced in PR #672).Changes
CLAUDE.md— updated commit guidance togit commit --signoff -S; noted both DCO and GPG are enforced by repo policy..claude/rules/commit-workflow.md— added "Commit Signing" section: one-time GPG config, standard commit command, and a%G?verification snippet. Acceptable codes areG(good) orU(good, untrusted locally);N/B/Eneed investigation. GitHub's Verified badge is the authoritative post-push check — local trust state may differ.CONTRIBUTING.md— "Sign-off" section renamed to "Sign-off and GPG Signing"; command updated togit commit --signoff -S; cross-referencescommit-workflow.mdas canonical policy source..claude/agents/code-standards-enforcer.md— commit-signing checklist item updated to require--signoff -Swith a pointer tocommit-workflow.md.commit-workflow.mdis now the single source of truth; the other files point to it rather than duplicating the policy.