Allow non-verified commits by organization members

[mpreiner]

In our organization we don't require verified commits by members, but we want to require signed-off commits by external contributors.

It would be great to add an option that allows non-verified commits by organization members. This would mean that the commit.verification.verified check in https://github.com/probot/dco/blob/master/lib/dco.js#L12 can be optionally disabled.

For example with the following config:

require:
  members: false
  members_verify: false

Or is there any specific reason why commits by organization members must be verified?

[hiimbex]

https://github.com/probot/dco#skipping-sign-off-for-organization-members

GitHub

probot/dco

GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests - probot/dco

[mpreiner]

@hiimbex This still requires that the commits of organization members are signed with a GPG key, right? I configured it as described in your link, but the DCO check still fails for organization members with Commit by organization member is not verified..

[mpreiner]

ping @hiimbex

[hiimbex]

My bad. I didn't add the feature, but getting a GPG key is a really easy workaround. PRs welcome though.

[pombredanne]

@mpreiner IMHO and FIWIW this feels like a poor practice to require the DCO sometimes and not other times. Given the fact that this can be automated with a minimal git config, I cannot fathom why your own org would not signoff too. (And if I were to contribute to your code, it would not make contributor feel great)

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?