Closed WadeBarnes closed 6 days ago
cc @esune
Thanks @WadeBarnes I've created a Jira ticket for myself so I can schedule time for this in our upcoming sprint.
DOC-2 has been installed on the CDT repositories. Similar to DCO, it needs to run once before it can be selected as a requirement in the branch protection rules. The following list will be used as a checklist to indicate which repositories have been migrated to DCO-2.
Affected repositories:
cc @esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach
Thanks for getting this done @MonicaG! Did I miss any repos in the list above?
@WadeBarnes, The following repos also have DCO2 installed on them:
Thanks, I've updated the check-list.
A quick note to the CDT team members helping out with the migration. Both DCO
and DCO-2
will run on PRs until DCO
is finally uninstalled from the repo. Switching from DCO
to DCO-2
in the required checks of the branch protection rules is the key to the migration. However, switching to DCO-2
for the required check does not turn off DCO
. It will continue to run until uninstalled, which is perfectly fine.
cc @loneil @esune
I made a pass on the list above and marked off the ones that were either already switched to require DCO-2
or were set to DCO from any source
(which would accept DCO
or DCO-2
).
With the remaining repos, we'll need to trigger a PR so DCO-2
runs and becomes available in the required checks list, or I don't have admin access to the repo so I'm unable to even check the settings (such is the case with bcgov/aries-oca-explorer
, bcgov/bc-wallet-mobile
, bcgov/indy-vdr-proxy-server
, and bcgov/mobile-attestation-vc-controller
). @jleach, @cvarjao, are you able to update the repos I can't access, please?
cc @esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach
Hi,
@WadeBarnes, just wondering if you have a status update on this. Do you have an ETA on when I should remove the DCO app?
Thanks! Monica
@esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach, are you folks able to complete the migration on the repos you have admin access to please. I've done what I can.
The checklist is here; https://github.com/BCDevOps/devops-requests/issues/1715#issuecomment-2427116171
I made a pass on the list above and marked off the ones that were either already switched to require
DCO-2
or were set toDCO from any source
(which would acceptDCO
orDCO-2
).With the remaining repos, we'll need to trigger a PR so
DCO-2
runs and becomes available in the required checks list, or I don't have admin access to the repo so I'm unable to even check the settings (such is the case withbcgov/aries-oca-explorer
,bcgov/bc-wallet-mobile
,bcgov/indy-vdr-proxy-server
, andbcgov/mobile-attestation-vc-controller
). @jleach, @cvarjao, are you able to update the repos I can't access, please?cc @esune, @i5okie, @loneil, @swcurran, @cvarjao, @jleach
@WadeBarnes These are done:
I've updated all repos other than https://github.com/bcgov/aries-oca-explorer. I don't have access to the settings for this repo. @amanji, @swcurran when you have a moment could you check if you have admin access and if so add the von-admin user group to the project as an Admin. I can take it from there.
For future reference the following command, courtesy of @jleach, combined with a temporary PR to the repo is a good way to trigger the DCO scanning.
git commit -m "fix: noop to trigger dco-2" -s --no-verif --allow-empty
Confirmed using the sample command above. DCO-2 status is now checked in aries-oca-explorer
@MonicaG, The migration is complete, you can remove the DCO app anytime.
Thanks!
@WadeBarnes - Thanks! I have removed the DCO app.
Cheers!
Monica
Request from the Cyber Security and Digital Trust (CDT) Team:
The CDT team utilizes dcoapp/app to enforce DCO sign-off on all commits. This is in place due to our heavy involvement with groups within the Linux Foundation, such as Linux Foundation Decentralized Trust (Hyperledger), the Open Wallet Foundation, and the Trust Over IP Foundation along with many other open source groups such as the Decentralized Identity Foundation. We frequently contribute code and entire projects to these organizations and they enforce DCO sign-off, so we follow suite.
The dcoapp/app has not been maintained in some time and the Cloud Native Computing Foundation (CNCF) has created the DCO-2 app as a replacement.
We'd like the assistance of the Developer Experience team to migrate from DCO, to DCO-2. The approach taken by the Linux Foundation is to enable DCO-2 alongside DCO, with the plan to then remove DCO once DCO-2 is deemed working.
The DCO app is currently enabled on a repo by repo basis so as not to overwhelm other BC Gov teams with the DCO requirements (although relatively trivial). As such we do not have direct access to the configuration and therefore require organization owner assistance.
Personally I think it would be a good idea to enable the DCO-2 app organization wide, but that would require other teams to get used to adding the DCO sign-off (
-s
or--signoff
, which can be automated) to their commits. DCO sign-off should not be confused with digitally signing (-S
or--gpg-sign
) commits with a gpg signing key, they are functionally very different. DCO does not require a gpg signing key. I think the legal intent of DCO sign-off would be beneficial to BC Government projects.