Closed mpreiner closed 5 years ago
https://github.com/probot/dco#skipping-sign-off-for-organization-members
GitHubGitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests - probot/dco
@hiimbex This still requires that the commits of organization members are signed with a GPG key, right? I configured it as described in your link, but the DCO check still fails for organization members with Commit by organization member is not verified.
.
ping @hiimbex
My bad. I didn't add the feature, but getting a GPG key is a really easy workaround. PRs welcome though.
@mpreiner IMHO and FIWIW this feels like a poor practice to require the DCO sometimes and not other times. Given the fact that this can be automated with a minimal git config, I cannot fathom why your own org would not signoff too. (And if I were to contribute to your code, it would not make contributor feel great)
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
In our organization we don't require verified commits by members, but we want to require signed-off commits by external contributors.
It would be great to add an option that allows non-verified commits by organization members. This would mean that the
commit.verification.verified
check in https://github.com/probot/dco/blob/master/lib/dco.js#L12 can be optionally disabled.For example with the following config:
Or is there any specific reason why commits by organization members must be verified?