Add Signed-off-by rule

Signed-off-by: James M Snell <jasnell@gmail.com>
Assisted-By: Opencode/Opus 4.6

Author: jasnell

lib/rules/signed-off-by.js

@@ -0,0 +1,181 @@
+const id = 'signed-off-by'
+
+// Matches the name and email from a Signed-off-by line
+const signoffParts = /^Signed-off-by: (.*) <([^>]+)>/i
+
+// Bot/AI patterns: name ending in [bot], or GitHub bot noreply emails
+// This is an imperfect heuristic, but there's no standard way to identify
+// bot commits in a reliable, generic way.
+const botNamePattern = /\[bot\]$/i
+const botEmailPattern = /\[bot\]@users\.noreply\.github\.com$/i
+
+// Matches "Name <email>" author strings
+const authorPattern = /^(.*?)\s*<([^>]+)>/
+const signoffPattern = /^Signed-off-by: /i
+const validSignoff = /^Signed-off-by: .+ <[^@]+@[^@]+\.[^@]+>/i
+
+// Parse name and email from an author string like "Name <email>"
+function parseAuthor (authorStr) {
+  if (!authorStr) return null
+  const match = authorStr.match(authorPattern)
+  if (!match) return null // Purely defensive check here
+  return { name: match[1].trim(), email: match[2].toLowerCase() }
+}
+
+// Check if an author string looks like a bot
+function isBotAuthor (authorStr) {
+  const author = parseAuthor(authorStr)
+  if (!author) return false
+  return botNamePattern.test(author.name) || botEmailPattern.test(author.email)
+}
+
+export default {
+  id,
+  meta: {
+    description: 'enforce DCO sign-off',
+    recommended: true
+  },
+  defaults: {},
+  options: {},
+  validate: (context, rule) => {
+    const parsed = context.toJSON()
+
+    // Release commits generally won't have sign-offs
+    if (parsed.release) {
+      context.report({
+        id,
+        message: 'skipping sign-off for release commit',
+        string: '',
+        level: 'skip'
+      })
+      return
+    }
+
+    const signoffs = parsed.body
+      .map((line, i) => [line, i])
+      .filter(([line]) => signoffPattern.test(line))
+
+    // Bot-authored commits don't need a sign-off.
+    // If they have one, warn; otherwise pass.
+    if (isBotAuthor(parsed.author)) {
+      if (signoffs.length === 0) {
+        context.report({
+          id,
+          message: 'skipping sign-off for bot commit',
+          string: '',
+          level: 'pass'
+        })
+      } else {
+        for (const [line, lineNum] of signoffs) {
+          context.report({
+            id,
+            message: 'bot commit should not have a "Signed-off-by" trailer',
+            string: line,
+            line: lineNum,
+            column: 0,
+            level: 'warn'
+          })
+        }
+      }
+      return
+    }
+
+    // Assume it's not a bot commit... a Signed-off-by trailer is required.
+    if (signoffs.length === 0) {
+      context.report({
+        id,
+        message: 'Commit must have a "Signed-off-by" trailer',
+        string: '',
+        level: 'fail'
+      })
+      return
+    }
+
+    // Flag every sign-off that has an invalid email format.
+    // Collect valid sign-offs for further checks.
+    const valid = []
+    for (const [line, lineNum] of signoffs) {
+      if (validSignoff.test(line)) {
+        valid.push([line, lineNum])
+      } else {
+        context.report({
+          id,
+          message: '"Signed-off-by" trailer has invalid email',
+          string: line,
+          line: lineNum,
+          column: 0,
+          level: 'fail'
+        })
+      }
+    }
+
+    if (valid.length === 0) {
+      // All sign-offs had invalid emails; already reported above.
+      return
+    }
+
+    // Flag any sign-off that appears to be from a bot or AI agent.
+    // Bots and AI agents are not permitted to sign off on commits.
+    // Collect non-bot sign-offs for further checks. If the commit
+    // itself appears to be from a bot, the case is handled above.
+    const human = []
+    for (const [line, lineNum] of valid) {
+      const { 1: name, 2: email } = line.match(signoffParts)
+      if (botNamePattern.test(name) || botEmailPattern.test(email)) {
+        context.report({
+          id,
+          message: '"Signed-off-by" must be from a human author, ' +
+                   'not a bot or AI agent',
+          string: line,
+          line: lineNum,
+          column: 0,
+          level: 'warn'
+        })
+      } else {
+        human.push([line, lineNum])
+      }
+    }
+
+    // All sign-offs appear to be from bots; already reported above.
+    // If there are no human sign-offs, fail.
+    if (human.length === 0) {
+      context.report({
+        id,
+        message: 'Commit must have a "Signed-off-by" trailer from a human author',
+        string: '',
+        level: 'fail'
+      })
+      return
+    }
+
+    // When author info is available, warn if none of the human sign-off
+    // emails match the commit author email. This may indicate an automated
+    // tool signed off on behalf of the author.
+    const authorEmail = parseAuthor(parsed.author)?.email
+    if (authorEmail) {
+      const authorMatch = human.some(([line]) => {
+        const { 2: email } = line.match(signoffParts)
+        return email.toLowerCase() === authorEmail
+      })
+      if (!authorMatch) {
+        context.report({
+          id,
+          message: '"Signed-off-by" email does not match the ' +
+                   'commit author email',
+          string: human[0][0],
+          line: human[0][1],
+          column: 0,
+          level: 'warn'
+        })
+        return
+      }
+    }
+
+    context.report({
+      id,
+      message: 'has valid Signed-off-by',
+      string: '',
+      level: 'pass'
+    })
+  }
+}

lib/validator.js

@@ -11,6 +11,7 @@ import metadataEnd from './rules/metadata-end.js'
 import prUrl from './rules/pr-url.js'
 import reviewers from './rules/reviewers.js'
 import subsystem from './rules/subsystem.js'
+import signedOffBy from './rules/signed-off-by.js'
 import titleFormat from './rules/title-format.js'
 import titleLength from './rules/title-length.js'
 
@@ -22,6 +23,7 @@ const RULES = {
   'metadata-end': metadataEnd,
   'pr-url': prUrl,
   reviewers,
+  'signed-off-by': signedOffBy,
   subsystem,
   'title-format': titleFormat,
   'title-length': titleLength

test/cli-test.js

@@ -155,7 +155,7 @@ test('Test cli flags', (t) => {
   t.test('test stdin with valid JSON', (tt) => {
     const validCommit = {
       id: '2b98d02b52',
-      message: 'stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>'
+      message: 'stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>'
     }
     const input = JSON.stringify([validCommit])
 
@@ -211,11 +211,11 @@ test('Test cli flags', (t) => {
     const commits = [
       {
         id: 'commit1',
-        message: 'doc: update README\n\nPR-URL: https://github.com/nodejs/node/pull/1111\nReviewed-By: Someone <someone@example.com>'
+        message: 'doc: update README\n\nSigned-off-by: Someone <someone@example.com>\nPR-URL: https://github.com/nodejs/node/pull/1111\nReviewed-By: Someone <someone@example.com>'
       },
       {
         id: 'commit2',
-        message: 'test: add new test case\n\nPR-URL: https://github.com/nodejs/node/pull/2222\nReviewed-By: Someone <someone@example.com>'
+        message: 'test: add new test case\n\nSigned-off-by: Someone <someone@example.com>\nPR-URL: https://github.com/nodejs/node/pull/2222\nReviewed-By: Someone <someone@example.com>'
       }
     ]
     const input = JSON.stringify(commits)
@@ -337,7 +337,7 @@ test('Test cli flags', (t) => {
   t.test('test stdin with --no-validate-metadata', (tt) => {
     const commit = {
       id: 'novalidate',
-      message: 'doc: update README\n\nThis commit has no PR-URL or reviewers'
+      message: 'doc: update README\n\nThis commit has no PR-URL or reviewers\n\nSigned-off-by: Someone <someone@example.com>'
     }
     const input = JSON.stringify([commit])
 

test/fixtures/commit.json

@@ -16,7 +16,7 @@
     "sha": "d3f20ccfaa7b0919a7c5a472e344b7de8829b30c",
     "url": "https://api.github.com/repos/nodejs/node/git/trees/d3f20ccfaa7b0919a7c5a472e344b7de8829b30c"
   },
-  "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
+  "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
   "parents": [
     {
       "sha": "ec2822adaad76b126b5cccdeaa1addf2376c9aa6",

test/fixtures/pr.json

@@ -12,7 +12,7 @@
         "email": "cmetcalf@appgeo.com",
         "date": "2016-04-13T16:33:55Z"
       },
-      "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
+      "message": "stream: make null an invalid chunk to write in object mode\n\nthis harmonizes behavior between readable, writable, and transform\nstreams so that they all handle nulls in object mode the same way by\nconsidering them invalid chunks.\n\nSigned-off-by: Calvin Metcalf <cmetcalf@appgeo.com>\nPR-URL: https://github.com/nodejs/node/pull/6170\nReviewed-By: James M Snell <jasnell@gmail.com>\nReviewed-By: Matteo Collina <matteo.collina@gmail.com>",
       "tree": {
         "sha": "e4f9381fdd77d1fd38fe27a80dc43486ac732d48",
         "url": "https://api.github.com/repos/nodejs/node/git/trees/e4f9381fdd77d1fd38fe27a80dc43486ac732d48"