build: establish DCO sign-off requirement for all contributions#1914
Open
pjbgf wants to merge 2 commits intogo-git:mainfrom
Open
build: establish DCO sign-off requirement for all contributions#1914pjbgf wants to merge 2 commits intogo-git:mainfrom
pjbgf wants to merge 2 commits intogo-git:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a Developer Certificate of Origin (DCO) sign-off requirement to strengthen contribution provenance and IP hygiene, enforced via PR validation and documented for contributors.
Changes:
- Document the DCO sign-off requirement and how to apply it in
CONTRIBUTING.md. - Add a GitHub Actions job to fail PR validation when any PR commit is missing a
Signed-off-by:trailer.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
CONTRIBUTING.md |
Documents the DCO requirement and provides contributor instructions for signing off commits. |
.github/workflows/pr-validation.yml |
Adds a PR CI job that checks each PR commit message for a Signed-off-by: line. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Introduce a Developer Certificate of Origin (DCO) check into the PR validation workflow and document the process in CONTRIBUTING.md. Open source projects depend on clear provenance for every line of code they accept. Without it, the project and its users are exposed to potential IP disputes — a contributor could later claim their employer owned the code, or that it was derived from an incompatible source. The DCO (https://developercertificate.org/) is the lightweight, widely-adopted answer to this: by adding a Signed-off-by trailer to each commit, contributors certify in writing that they have the right to submit the work under the project's license (Apache 2.0). This is particularly important as go-git grows in adoption. Downstream users — especially those in regulated industries or with strict supply chain policies — need confidence that the project has proper IP hygiene. Many ecosystems (Linux kernel, CNCF projects) already require this as a baseline. Signed-off-by: Paulo Gomes <pjbgf@linux.com> Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce a Developer Certificate of Origin (DCO) check into the PR validation workflow and document the process in CONTRIBUTING.md.
Open source projects depend on clear provenance for every line of code they accept. Without it, the project and its users are exposed to potential IP disputes — a contributor could later claim their employer owned the code, or that it was derived from an incompatible source. The DCO (https://developercertificate.org/) is the lightweight, widely-adopted answer to this: by adding a Signed-off-by trailer to each commit, contributors certify in writing that they have the right to submit the work under the project's license (Apache 2.0).
This is particularly important as go-git grows in adoption. Downstream users — especially those in regulated industries or with strict supply chain policies — need confidence that the project has proper IP hygiene. Many ecosystems (Linux kernel, CNCF projects) already require this as a baseline.