Add Signed-off-by rule

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-By: Opencode/Opus 4.6

Author: jasnell

lib/rules/signed-off-by.js

@@ -0,0 +1,122 @@
+const id = 'signed-off-by'
+
+// Matches the name and email from a Signed-off-by line
+const signoffParts = /^Signed-off-by: (.*) <([^>]+)>/i
+
+// Bot/AI patterns: name ending in [bot], or GitHub bot noreply emails
+const botNamePattern = /\[bot\]$/i
+const botEmailPattern = /\[bot\]@users\.noreply\.github\.com$/i
+
+// Extract email from an author string like "Name <email>"
+function parseEmail (authorStr) {
+  if (!authorStr) return null
+  const match = authorStr.match(/<([^>]+)>/)
+  return match ? match[1].toLowerCase() : null
+}
+
+export default {
+  id,
+  meta: {
+    description: 'enforce DCO sign-off',
+    recommended: true
+  },
+  defaults: {},
+  options: {},
+  validate: (context, rule) => {
+    const parsed = context.toJSON()
+
+    // Release commits generally won't have sign-offs
+    if (parsed.release) {
+      context.report({
+        id,
+        message: 'skipping sign-off for release commit',
+        string: '',
+        level: 'skip'
+      })
+      return
+    }
+
+    const signoffPattern = /^Signed-off-by: /i
+    const validSignoff = /^Signed-off-by: .+ <[^@]+@[^@]+\.[^@]+>/i
+    const signoffs = parsed.body
+      .map((line, i) => [line, i])
+      .filter(([line]) => signoffPattern.test(line))
+
+    if (signoffs.length === 0) {
+      context.report({
+        id,
+        message: 'Commit must have a "Signed-off-by" trailer',
+        string: '',
+        level: 'fail'
+      })
+      return
+    }
+
+    // Check that at least one sign-off has a valid email
+    const hasValid = signoffs.some(([line]) => validSignoff.test(line))
+    if (!hasValid) {
+      const [line, lineNum] = signoffs[0]
+      context.report({
+        id,
+        message: '"Signed-off-by" trailer has invalid email',
+        string: line,
+        line: lineNum,
+        column: 0,
+        level: 'fail'
+      })
+      return
+    }
+
+    // Check that no sign-off appears to be from a bot or AI agent.
+    // Bots and AI agents are not permitted to sign off on commits.
+    for (const [line, lineNum] of signoffs) {
+      const match = line.match(signoffParts)
+      if (!match) continue
+      const name = match[1]
+      const email = match[2]
+      if (botNamePattern.test(name) || botEmailPattern.test(email)) {
+        context.report({
+          id,
+          message: '"Signed-off-by" must be from a human author, ' +
+                   'not a bot or AI agent',
+          string: line,
+          line: lineNum,
+          column: 0,
+          level: 'warn'
+        })
+        return
+      }
+    }
+
+    // When author info is available, warn if none of the sign-off emails
+    // match the commit author email. This may indicate an automated tool
+    // signed off on behalf of the author.
+    const authorEmail = parseEmail(parsed.author)
+    if (authorEmail) {
+      const authorMatch = signoffs.some(([line]) => {
+        const match = line.match(signoffParts)
+        if (!match) return false
+        return match[2].toLowerCase() === authorEmail
+      })
+      if (!authorMatch) {
+        context.report({
+          id,
+          message: '"Signed-off-by" email does not match the ' +
+                   'commit author email',
+          string: signoffs[0][0],
+          line: signoffs[0][1],
+          column: 0,
+          level: 'warn'
+        })
+        return
+      }
+    }
+
+    context.report({
+      id,
+      message: 'has valid Signed-off-by',
+      string: '',
+      level: 'pass'
+    })
+  }
+}

lib/validator.js

@@ -11,6 +11,7 @@ import metadataEnd from './rules/metadata-end.js'
 import prUrl from './rules/pr-url.js'
 import reviewers from './rules/reviewers.js'
 import subsystem from './rules/subsystem.js'
+import signedOffBy from './rules/signed-off-by.js'
 import titleFormat from './rules/title-format.js'
 import titleLength from './rules/title-length.js'
 
@@ -22,6 +23,7 @@ const RULES = {
   'metadata-end': metadataEnd,
   'pr-url': prUrl,
   reviewers,
+  'signed-off-by': signedOffBy,
   subsystem,
   'title-format': titleFormat,
   'title-length': titleLength

test/cli-test.js

@@ -155,7 +155,7 @@ test('Test cli flags', (t) => {
   t.test('test stdin with valid JSON', (tt) => {
     const validCommit = {
       id: '2b98d02b52',
-      message: 'stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>'
+      message: 'stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>'
     }
     const input = JSON.stringify([validCommit])
 
@@ -211,11 +211,11 @@ test('Test cli flags', (t) => {
     const commits = [
       {
         id: 'commit1',
-        message: 'doc: update README\n\nPR-URL: https://github.com/nodejs/node/pull/1111\nReviewed-By: Someone <someone@example.com>'
+        message: 'doc: update README\n\nSigned-off-by: Someone <someone@example.com>\nPR-URL: https://github.com/nodejs/node/pull/1111\nReviewed-By: Someone <someone@example.com>'
       },
       {
         id: 'commit2',
-        message: 'test: add new test case\n\nPR-URL: https://github.com/nodejs/node/pull/2222\nReviewed-By: Someone <someone@example.com>'
+        message: 'test: add new test case\n\nSigned-off-by: Someone <someone@example.com>\nPR-URL: https://github.com/nodejs/node/pull/2222\nReviewed-By: Someone <someone@example.com>'
       }
     ]
     const input = JSON.stringify(commits)
@@ -337,7 +337,7 @@ test('Test cli flags', (t) => {
   t.test('test stdin with --no-validate-metadata', (tt) => {
     const commit = {
       id: 'novalidate',
-      message: 'doc: update README\n\nThis commit has no PR-URL or reviewers'
+      message: 'doc: update README\n\nThis commit has no PR-URL or reviewers\n\nSigned-off-by: Someone <someone@example.com>'
     }
     const input = JSON.stringify([commit])
 

test/fixtures/commit.json

@@ -16,7 +16,7 @@
     "sha": "d3f20ccfaa7b0919a7c5a472e344b7de8829b30c",
     "url": "https://api.github.com/repos/nodejs/node/git/trees/d3f20ccfaa7b0919a7c5a472e344b7de8829b30c"
   },
-  "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
+  "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
   "parents": [
     {
       "sha": "ec2822adaad76b126b5cccdeaa1addf2376c9aa6",

test/fixtures/pr.json

@@ -12,7 +12,7 @@
         "email": "cmetcalf@appgeo.com",
         "date": "2016-04-13T16:33:55Z"
       },
-      "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
+      "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
       "tree": {
         "sha": "e4f9381fdd77d1fd38fe27a80dc43486ac732d48",
         "url": "https://api.github.com/repos/nodejs/node/git/trees/e4f9381fdd77d1fd38fe27a80dc43486ac732d48"