Closed bjhargrave closed 2 months ago
@bjhargrave overall looks good but why was the DCO check removed?
why was the DCO check removed
@nathan-weinberg It is not removing the DCO check. That config permitted org members to skip the Signed-off-by in their commit messages. I don't think we want that anymore. It was part of the initial commit for this repo to get things going.
https://github.com/dcoapp/app/blob/main/README.md#skipping-sign-off-for-organization-members
We use SHAs instead of tag names to refer to action versions. Dependabot will help us manage the SHAs.
Update permissions to minimum necessary.
Add harden-runner to monitor egress of action. After some time, we can tighten the egress to limit hosts/ports.
We also update the maintainers script to generate markdown which passes markdownlint checking.