diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index ea3f65e..322b018 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -21,7 +21,7 @@ Fixes # (issue) # Checklist -- [ ] Commits are signed off (`git commit -s`) per [DCO](https://developercertificate.org/) +- [ ] CLA signed (the CLA bot will prompt on your first PR) - [ ] `make validate` passes (fmt + lint + test) - [ ] Docs updated if the wire shape, config surface, or proxy module behavior changed diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52bd01a..35eaa2b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,32 +48,3 @@ jobs: run: | go install golang.org/x/vuln/cmd/govulncheck@v1.3.0 govulncheck ./... - - dco: - # Skip DCO for trusted GitHub bots; their commits don't include - # Signed-off-by trailers but are governed by the bot's own policy. - if: github.event.pull_request.user.login != 'dependabot[bot]' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - - name: Verify DCO sign-off on all commits - env: - BASE: ${{ github.event.pull_request.base.sha }} - HEAD: ${{ github.event.pull_request.head.sha }} - run: | - unsigned=$(git log --no-merges --format='%H %s' "$BASE..$HEAD" \ - | while read -r sha rest; do - if ! git log -1 --format='%B' "$sha" | grep -qE '^Signed-off-by: '; then - echo "$sha $rest" - fi - done) - if [ -n "$unsigned" ]; then - echo "::error::Commits missing Signed-off-by trailer:" - echo "$unsigned" - echo - echo "Sign each commit with 'git commit -s'; amend the last commit with 'git commit -s --amend', or rebase to add sign-off retroactively." - exit 1 - fi - echo "All commits signed off." diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index dd2ac75..6250a44 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -40,26 +40,12 @@ The `make validate` target runs all three. - **Update docs** when you change the wire shape, config surface, or proxy module behavior — see the relevant page under `docs/`. -## DCO sign-off +## Contributor License Agreement -All commits must be signed off under the [Developer Certificate of -Origin](https://developercertificate.org/). Add a sign-off line to every -commit: - -```bash -git commit -s -m "feat(proxy): add new datasource type" -``` - -This appends a `Signed-off-by: Your Name ` line to the -commit message, confirming you have the right to submit the contribution -under the project's license. Commits without a sign-off will be rejected -by CI. - -To configure git to always include your sign-off: - -```bash -git config --global format.signOff true -``` +Before your contribution can be merged, you must sign the project's +Contributor License Agreement (CLA). When you open your first PR, the CLA +bot will comment with a link; follow it to sign. The check must pass before +a maintainer can merge. ## Code conventions diff --git a/README.md b/README.md index 46f75d1..6975875 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ docker build -t forager . # local Docker image (with Oracle support) ## Contributing PRs welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the dev loop, -PR guidelines, and the DCO sign-off requirement. +PR guidelines, and the CLA requirement. ## Security