DCO (signed-off-by) in commits via web ui

[caniszczyk]

When you use the web ui in GitHub, there's no option to do the equivalent of (git commit -s) which is required as part of adhering to the DCO. The GitHub web ui should support this workflow :)

[davidstaheli]

@lizrice, @bwplotka, @leecalcote, @scheeles, @stormi, @bfirsh, this is now enabled where you requested. It's a very early prototype with enhancements coming soon. Feedback is always welcome!

@amzn-changml, the current plan for PR suggestions -- and we'd love to hear any suggestions -- is that when someone adds a PR comment suggestion, they'll be signing off even though no commit has been created yet. Later, when someone (e.g. the PR author) comes along and commits the suggestion, they'll be signing off themselves, but a 2nd signoff line will be added to the commit message for the person who made the suggestion.

[amzn-changml]

@amzn-changml, the current plan for PR suggestions -- and we'd love to hear any suggestions -- is that when someone adds a PR comment suggestion, they'll be signing off even though no commit has been created yet. Later, when someone (e.g. the PR author) comes along and commits the suggestion, they'll be signing off themselves, but a 2nd signoff line will be added to the commit message for the person who made the suggestion.

That seems reasonable and in-line with known conventions. Just to confirm, it'll look something like this?

Signed off by: <author@foo.org>
Suggested by: <suggester@bar.org>

[davidstaheli]

@amzn-changml, thanks for the helpful link to those conventions. This is where we have some options. Based on definitions of trailers below, we're leaning toward using Co-authored-by: instead of Suggested-by: for suggesters. This is because Suggested-by: could indicate that the suggester just shared an idea, rather than provided actual content changes. Would love to know what you/others think.

Suggested-by:

A Suggested-by: tag indicates that the patch idea is suggested by the person named and ensures credit to the person for the idea. Please note that this tag should not be added without the reporter's permission, especially if the idea was not posted in a public forum. (source)

Co-Authored-By:

We encourage the use of Co-Authored-By: name <name@example.com> in commit messages to indicate people who worked on a particular patch. It's a convention for recognizing multiple authors, and our projects would encourage the stats tools to observe it when collecting statistics. (source)

Signed-off-by:

The Signed-off-by: tag indicates that the signer was involved in the development of the patch, or that he/she was in the patch's delivery path. (source)

[amzn-changml]

I can agree with the use of Co-authored-by:. It seems that this is also recognized in the commit UI, so that can be helpful with contribution metrics, if there's distinction.

[scottrigby]

Hello! 👋 Excited to see this. For the past 4 years, folks in the Helm community (and some others in LF/CNCF) have been using this little DCO GitHub UI browser extension I wrote for chrome & firefox: https://github.com/scottrigby/dco-gh-ui/. This workaround is more of a convenience for individual users than an actual solution.

A native feature for GitHub would be SO much better, allowing maintainers to enforce DCO as a policy per project/org, as opposed to an extension like this that each user needs to install in their browser. I'd be very happy to archive that extension in favor of a native GitHub feature ❤️

@davidstaheli could we please enable preview for https://github.com/open-gitops, https://github.com/fluxcd, and https://github.com/helm orgs?

[stormi]

So, I like that we can have DCO added automatically to commits made with the web UI. Now I don't know how to handle users who hide their e-mail address and real name, as this goes against the principles of DCO:

Signed-off-by: loginname loginname@users.noreply.github.com.

Should we envision an option that would allow an organisation to enforce the use of an actual e-mail address?

[ryjones]

@stormi

Should we envision an option that would allow an organisation to enforce the use of an actual e-mail address?

please and thank you

[ryjones]

@davidstaheli please enable for these orgs (you should be able to verify my ownership):

• https://github.com/theheraldproject
• https://github.com/thecardeaproject
• https://github.com/openidl-org
• https://github.com/lfph

[davidstaheli]

Apologies for the long delay.

• @ryjones, the feature is now enabled for theheraldproject, thecardeaproject, openidl-org, and lfph.
• @stormi, thank you for that great point. We'll think through this, including what the user experience should be if real names and email addresses are enforced but the committer has not yet set them up. I hope to have something to share here soon.
• @scottrigby, the feature is now enabled for open-gitops, fluxcd, and helm. Nice job on the browser extension! It must be helping a lot of people. I appreciate your kind acceptance of this feature being built into GitHub and don't want to diminish the importance of what you've built. We on the GitHub Repositories team admire what you've done.

[qnetter]

How about for goharbor?

[jpadams]

@davidstaheli congrats on shipping this feature! 🚢 🎉 I was a supporter when I was at GitHub. We'd love to have the option to trial it at https://github.com/dagger where we use DCO for our open source contribs. Great work team!

[ghost]

@davidstaheli We're currently evaluating the use of a DCO on two organizations. Would you be able the add the preview feature to:

https://github.com/containerssh https://github.com/chaos-kubox

Thanks a bunch for working on this!

[stormi]

@davidstaheli This is probably already in the pipe, but one will need to be able to choose which email to sign off commit suggestions with, in PRs. Currently I don't think you can:

[caniszczyk]

@davidstaheli can you add github.com/cncf to this list too

[samj1912]

@davidstaheli https://github.com/buildpacks and https://github.com/kyverno would also greatly benefit from an early preview of this feature. It would be great if you could enable it for these organizations as well :)

This is an game-changing feature for almost all of the CNCF projects! (most of them require DCO sign-off)

[ashleywolf]

@caniszczyk

@davidstaheli can you add github.com/cncf to this list too

Added

[caniszczyk]

Thank you, this feature is great!

On Mon, Jun 6, 2022 at 3:49 PM Ashley Wolf @.***> wrote:

@davidstaheli https://github.com/davidstaheli can you add github.com/cncf to this list too

Added

— Reply to this email directly, view it on GitHub https://github.com/todogroup/gh-issues/issues/50#issuecomment-1147910968, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIJOQZBXTU64ODV47UTVNZP4FANCNFSM4DF52MBQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Cheers,

Chris Aniszczyk https://aniszczyk.org

[ashleywolf]

@davidstaheli https://github.com/buildpacks and https://github.com/kyverno would also greatly benefit from an early preview of this feature. It would be great if you could enable it for these organizations as well :)

This is an game-changing feature for almost all of the CNCF projects! (most of them require DCO sign-off)

@samj1912 added 👍

[ryjones]

Thank you, Ashley. This is great!

[davidstaheli]

So sorry for the big delay while I've been away for 2 weeks. Thanks for helping with these, @ashleywolf! I'll enable this for any that remain on Tuesday, June 7. We also plan to ship the feature publicly - so it will be enabled for everyone - on Wednesday, June 8.

[davidstaheli]

The DCO signoff feature is newly available to the following organizations. Thanks for your patience! See directions below for enabling the feature. It should release publicly (to everyone) tomorrow, Wednesday, June 8.

• goharbor (@qnetter)
• dagger (@jpadams, hello! You'll always be a Hubber! 😀)
• containerssh, chaos-kubox (@sanjacodes)

How to enable required signoffs for an organization

Organization owners can configure an organization-level setting to require sign off on commits made through the web interface. To do so, click Settings in an organization that you are an owner of. Next, in the navigation under Code, planning, and automation, select Repository and then Repository defaults. Finally, under Commit signoff choose All repositories to require sign off on web-based commits in all repositories in the organization, as shown below. Alternatively, select No policy to disable the setting so that sign off will not be required unless enabled at the repository level.

How to enable required signoffs for a repository

Repository admins can toggle a similar repository-level setting. To do so, click Settings in a repository that you are an admin of. Next, select General (the default, top-most tab). Then toggle the setting named Require contributors to sign off on web-based commits as shown below. This setting will be overridden by the organization-level setting unless the organization has No policy selected.

[caniszczyk]

Thank you so much, I really appreciate this happening!

On Tue, Jun 7, 2022 at 8:14 AM David Staheli @.***> wrote:

The DCO signoff feature is newly available to the following organizations. Thanks for your patience! See directions below for enabling the feature. It should release publicly (to everyone) tomorrow, Wednesday, June 8.

• goharbor @.*** https://github.com/qnetter)
• dagger @.*** https://github.com/jpadams, hello! You'll always be a Hubber! 😀)
• containerssh, chaos-kubox @.*** https://github.com/sanjacodes)

How to enable required signoffs for an organization

Organization owners can configure an organization-level setting to require sign off on commits made through the web interface. To do so, click Settings in an organization that you are an owner of. Next, in the navigation under Code, planning, and automation, select Repository and then Repository defaults. Finally, under Commit signoff choose All repositories to require sign off on web-based commits in all repositories in the organization, as shown below. Alternatively, select No policy to disable the setting so that sign off will not be required unless enabled at the repository level.

[image: GitHub's organization-level setting for requiring sign off on commits made in the web interface] https://user-images.githubusercontent.com/1767415/172388117-920c9043-c616-49cf-962f-6947c049adcb.png How to enable required signoffs for a repository

Repository admins can toggle a similar repository-level setting. To do so, click Settings in a repository that you are an admin of. Next, select General (the default, top-most tab). Then toggle the setting named Require contributors to sign off on web-based commits as shown below. This setting will be overridden by the organization-level setting unless the organization has No policy selected.

[image: GitHub's repository-level setting for requiring sign off on commits made in the web interface] https://user-images.githubusercontent.com/1767415/172276346-fb4c09a4-2e47-4fd9-ad61-451a008175c7.png

— Reply to this email directly, view it on GitHub https://github.com/todogroup/gh-issues/issues/50#issuecomment-1148657762, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSILNXVNTJH3ME6SWVLDVN5DM3ANCNFSM4DF52MBQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Cheers,

Chris Aniszczyk https://aniszczyk.org

[ghost]

Thanks a bunch for all your work! 🙏🏻

[gbartolini]

Fantastico! Thanks!

[caniszczyk]

@davidstaheli will there be a github blog post or changelog entry to link too?

[davidstaheli]

Hi, @caniszczyk! Yes, I'll publish an extra-long changelog right when the feature goes live for everyone. It should appear at the URL below. And I'll do my best to post an update here when it happens.

• https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/

[caniszczyk]

Awesome thank you!

Blog post is live!

https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/

[davidstaheli]

🎊

Yes, the feature is now live! Thanks so much for everyone's suggestions and encouragement with this! We'd still like to make improvements and would love to hear ongoing suggestions that you have. A good place to leave feedback is in GitHub's public feedback discussions (General category) or email me at: my GitHub username + "@github.com". Thanks again!