BCDevOps / devops-requests

This repository is used to track the DevOps requests for platform services team.
18 stars 10 forks source link

Migrate CDT repositories from the DCO app to the DCO-2 app #1715

Open WadeBarnes opened 1 month ago

WadeBarnes commented 1 month ago

Request from the Cyber Security and Digital Trust (CDT) Team:

The CDT team utilizes dcoapp/app to enforce DCO sign-off on all commits. This is in place due to our heavy involvement with groups within the Linux Foundation, such as Linux Foundation Decentralized Trust (Hyperledger), the Open Wallet Foundation, and the Trust Over IP Foundation along with many other open source groups such as the Decentralized Identity Foundation. We frequently contribute code and entire projects to these organizations and they enforce DCO sign-off, so we follow suite.

The dcoapp/app has not been maintained in some time and the Cloud Native Computing Foundation (CNCF) has created the DCO-2 app as a replacement.

We'd like the assistance of the Developer Experience team to migrate from DCO, to DCO-2. The approach taken by the Linux Foundation is to enable DCO-2 alongside DCO, with the plan to then remove DCO once DCO-2 is deemed working.

The DCO app is currently enabled on a repo by repo basis so as not to overwhelm other BC Gov teams with the DCO requirements (although relatively trivial). As such we do not have direct access to the configuration and therefore require organization owner assistance.

Personally I think it would be a good idea to enable the DCO-2 app organization wide, but that would require other teams to get used to adding the DCO sign-off (-s or --signoff, which can be automated) to their commits. DCO sign-off should not be confused with digitally signing (-S or --gpg-sign) commits with a gpg signing key, they are functionally very different. DCO does not require a gpg signing key. I think the legal intent of DCO sign-off would be beneficial to BC Government projects.

WadeBarnes commented 1 month ago

cc @esune

MonicaG commented 1 month ago

Thanks @WadeBarnes I've created a Jira ticket for myself so I can schedule time for this in our upcoming sprint.

WadeBarnes commented 2 weeks ago

DOC-2 has been installed on the CDT repositories. Similar to DCO, it needs to run once before it can be selected as a requirement in the branch protection rules. The following list will be used as a checklist to indicate which repositories have been migrated to DCO-2.

Affected repositories:

cc @esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach

WadeBarnes commented 2 weeks ago

Thanks for getting this done @MonicaG! Did I miss any repos in the list above?

MonicaG commented 2 weeks ago

@WadeBarnes, The following repos also have DCO2 installed on them:

WadeBarnes commented 2 weeks ago

Thanks, I've updated the check-list.

WadeBarnes commented 1 week ago

A quick note to the CDT team members helping out with the migration. Both DCO and DCO-2 will run on PRs until DCO is finally uninstalled from the repo. Switching from DCO to DCO-2 in the required checks of the branch protection rules is the key to the migration. However, switching to DCO-2 for the required check does not turn off DCO. It will continue to run until uninstalled, which is perfectly fine.

image

cc @loneil @esune

WadeBarnes commented 1 week ago

I made a pass on the list above and marked off the ones that were either already switched to require DCO-2 or were set to DCO from any source (which would accept DCO or DCO-2).

With the remaining repos, we'll need to trigger a PR so DCO-2 runs and becomes available in the required checks list, or I don't have admin access to the repo so I'm unable to even check the settings (such is the case with bcgov/aries-oca-explorer, bcgov/bc-wallet-mobile, bcgov/indy-vdr-proxy-server, and bcgov/mobile-attestation-vc-controller). @jleach, @cvarjao, are you able to update the repos I can't access, please?

cc @esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach