nudgebee · mayankpande88 · Jun 4, 2026
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -21,7 +21,7 @@ Fixes # (issue)
 
 # Checklist
 
-- [ ] Commits are signed off (`git commit -s`) per [DCO](https://developercertificate.org/)
+- [ ] CLA signed (the CLA bot will prompt on your first PR)
 - [ ] `make validate` passes (fmt + lint + test)
 - [ ] Docs updated if the wire shape, config surface, or proxy module behavior changed
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -48,32 +48,3 @@ jobs:
         run: |
           go install golang.org/x/vuln/cmd/govulncheck@v1.3.0
           govulncheck ./...
-
-  dco:
-    # Skip DCO for trusted GitHub bots; their commits don't include
-    # Signed-off-by trailers but are governed by the bot's own policy.
-    if: github.event.pull_request.user.login != 'dependabot[bot]'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - name: Verify DCO sign-off on all commits
-        env:
-          BASE: ${{ github.event.pull_request.base.sha }}
-          HEAD: ${{ github.event.pull_request.head.sha }}
-        run: |
-          unsigned=$(git log --no-merges --format='%H %s' "$BASE..$HEAD" \
-            | while read -r sha rest; do
-                if ! git log -1 --format='%B' "$sha" | grep -qE '^Signed-off-by: '; then
-                  echo "$sha $rest"
-                fi
-              done)
-          if [ -n "$unsigned" ]; then
-            echo "::error::Commits missing Signed-off-by trailer:"
-            echo "$unsigned"
-            echo
-            echo "Sign each commit with 'git commit -s'; amend the last commit with 'git commit -s --amend', or rebase to add sign-off retroactively."
-            exit 1
-          fi
-          echo "All commits signed off."
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -40,26 +40,12 @@ The `make validate` target runs all three.
 - **Update docs** when you change the wire shape, config surface, or
   proxy module behavior — see the relevant page under `docs/`.
 
-## DCO sign-off
+## Contributor License Agreement
 
-All commits must be signed off under the [Developer Certificate of
-Origin](https://developercertificate.org/). Add a sign-off line to every
-commit:
-
-```bash
-git commit -s -m "feat(proxy): add new datasource type"
-```
-
-This appends a `Signed-off-by: Your Name <you@example.com>` line to the
-commit message, confirming you have the right to submit the contribution
-under the project's license. Commits without a sign-off will be rejected
-by CI.
-
-To configure git to always include your sign-off:
-
-```bash
-git config --global format.signOff true
-```
+Before your contribution can be merged, you must sign the project's
+Contributor License Agreement (CLA). When you open your first PR, the CLA
+bot will comment with a link; follow it to sign. The check must pass before
+a maintainer can merge.
 
 ## Code conventions
 

diff --git a/README.md b/README.md
@@ -158,7 +158,7 @@ docker build -t forager .   # local Docker image (with Oracle support)
 ## Contributing
 
 PRs welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the dev loop,
-PR guidelines, and the DCO sign-off requirement.
+PR guidelines, and the CLA requirement.
 
 ## Security