Skip to content

Commit 24f6c1f

Browse files
nullvariantclaude
andauthored
ci(dco): add DCO enforcement workflow (#425)
* ci(dco): add DCO enforcement workflow ## Summary Add Developer Certificate of Origin (DCO) check for all pull requests using dco-check (PyPI) with SHA-pinned actions and hash-verified pip install. ## Changes - Add .github/workflows/dco.yml with dco-check==0.5.0 (hash-pinned) - Add DCO section to CONTRIBUTING.md with sign-off instructions - Add --signoff requirement to AGENTS.md Key Constraints Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6 * fix(ci): use requirements file for pip hash verification ## Summary Fix DCO Check workflow failure. pip's --hash option is only available via requirements files, not as a CLI argument. ## Changes - Write requirements to temp file with hash, then install via -r flag Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6 * fix(ci): add GITHUB_TOKEN env for dco-check ## Summary dco-check requires GITHUB_TOKEN to fetch PR commit data via GitHub API. ## Changes - Add GITHUB_TOKEN env to Run DCO Check step Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 2abbe92 commit 24f6c1f

4 files changed

Lines changed: 74 additions & 4 deletions

File tree

.github/workflows/dco.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
name: DCO
2+
3+
on:
4+
pull_request:
5+
branches:
6+
- main
7+
8+
permissions: {}
9+
10+
jobs:
11+
dco:
12+
name: DCO Check
13+
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
16+
17+
steps:
18+
- name: Harden Runner
19+
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
20+
with:
21+
egress-policy: audit
22+
23+
- name: Checkout
24+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25+
with:
26+
fetch-depth: 0
27+
28+
- name: Setup Python
29+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
30+
with:
31+
python-version: "3.12"
32+
33+
- name: Run DCO Check
34+
env:
35+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
run: |
37+
echo 'dco-check==0.5.0 --hash=sha256:3c027d2d47b5cbb03f7e2a25ec8ffb56d8a33c49563c8fcd2cef443ebf3cff0d' > /tmp/requirements-dco.txt
38+
pip install --require-hashes --no-deps -r /tmp/requirements-dco.txt
39+
dco-check

AGENTS.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ VS Code extensions monorepo. Primary extension: **Git ID Switcher** — manages
1212
4. Do not make security constants user-configurable — hardcoded security values are by design.
1313
5. Do not add features outside the current scope (e.g., GitHub API integration).
1414
6. Minimize dependencies — add only when genuinely needed and not replaceable by existing tools.
15+
7. Include `--signoff` flag on all commits (DCO requirement).
1516

1617
## Branch Protection
1718

CONTRIBUTING.md

Lines changed: 32 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,46 @@ The `main` branch is protected with the following rules:
1313

1414
> **Note for contributors**: You don't need to GPG-sign your commits. The maintainer will handle signing when merging your PR.
1515
16+
## Developer Certificate of Origin (DCO)
17+
18+
This project requires all contributors to sign off their commits, certifying that they have the right to submit the code under the project's license. This is enforced via the [Developer Certificate of Origin](https://developercertificate.org/).
19+
20+
### How to sign off
21+
22+
Add `--signoff` (or `-s`) to your `git commit` command:
23+
24+
```bash
25+
git commit --signoff -m "feat: add new feature"
26+
```
27+
28+
This adds a `Signed-off-by` line to your commit message:
29+
30+
```text
31+
feat: add new feature
32+
33+
Signed-off-by: Your Name <your.email@example.com>
34+
```
35+
36+
### What you are certifying
37+
38+
By signing off, you certify the [Developer Certificate of Origin v1.1](https://developercertificate.org/) (full text at the link). Key points:
39+
40+
- The contribution is your original work, or you have the right to pass it on
41+
- You have the right to submit it under the project's open source license
42+
- You understand the contribution is public and a record of it is maintained indefinitely
43+
44+
> **Note**: If you forget `--signoff`, the DCO check on your PR will fail. You can fix existing commits with `git commit --amend --signoff` or `git rebase --signoff HEAD~N`.
45+
1646
## Getting Started
1747

1848
1. Fork the repository
1949
2. Clone your fork
2050
3. Create a feature branch: `git checkout -b feature/my-feature`
2151
4. Make your changes
22-
5. Commit with a descriptive message
52+
5. Commit with `--signoff`: `git commit --signoff -m "feat: description"`
2353
6. Push to your fork
2454
7. Open a Pull Request
25-
8. Wait for CI checks to pass, then a maintainer will merge
55+
8. Wait for CI checks to pass (including DCO), then a maintainer will merge
2656

2757
## Development Setup
2858

extensions/git-id-switcher/src/ui/documentationInternal.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,9 @@
2222
* Unknown paths or hash mismatches result in content rejection.
2323
*/
2424
export const DOCUMENT_HASHES: Record<string, string> = {
25-
'AGENTS.md': '5576e35cba6912b02c0bc5e7f51fc15a2a6e5f125e68cc7a6a450cdddc5e5ca5',
25+
'AGENTS.md': 'c4918e12fd7900bfc41e708992ebc4b7326600ce9327e8020a986fe4dd807f8d',
2626
'CODE_OF_CONDUCT.md': 'a0e9cb2e004663cdedef4e1adc0e429417ccfc479e367cbc17b869f62ae759d2',
27-
'CONTRIBUTING.md': '86390ee951cf08f616d75f35c0746f0005be6aee29b1a3abb5745ffb823914fb',
27+
'CONTRIBUTING.md': 'ed4d1f391ffe04e3031dfc9f16fd8fd5dcd54ba23af3b3202c07adac5ba23da7',
2828
'extensions/git-id-switcher/CHANGELOG.md': 'b11d9b619f23b9e55c31302b9a55f455ade9c58f65ce485b0d6ae4ddeb289e7a',
2929
'extensions/git-id-switcher/docs/ARCHITECTURE.md': 'db6ba2f7809b2c7aa831eda3a4b9bb80521577e4e267c7b6ccad17ffba847548',
3030
'extensions/git-id-switcher/docs/CONTRIBUTING.md': '7d6ad2bc4d8c838790754cb9df848cb65f9fdce7e1a13e5c965b83a3d5b6378c',

0 commit comments

Comments
 (0)