DCO (signed-off-by) in commits via web ui #50
Comments
|
This is the biggest thing that can't be built into an integration. One question I have about this: The DCO requires sign-off on each commit, so this would have to be a checkbox wherever commits are made (merge button, editor) instead of a user config that says "Add sign-off on all my commits"? xref dcoapp/app#8 #48 |
|
Would this also imply some level of support for #32? |
|
+1 please! |
|
I just ran into a related issue the other day, the probot app only works on PRs and not direct pushes. If you want pushes and PRs to have the DCO enforced it looks like you need a hook as well :(. I need to check if Org level hooks are available/enforceable. |
I don't know. In general, my advice would be to try to standardize practices around the DCO as much as possible, and clearly document all the best practices and edge cases. I could be a really easy feature to add (checkbox on the commit comment box?), but it also brings up a bunch of other questions: Can it be automatic, or does the user have to take an action every time to communicate their intent? Is it visible on every repository, or is there a repository setting that turns it on? Should there be a setting to require it on all commits? What about scenarios where it's not actually required, like bots dcoapp/app#21?. Unless I'm misunderstanding something, you can manually include the
It is currently recommended to set DCO as a required status to protect master. Feel free to open an issue on probot/dco if you'd like to see it do something different. |
|
I want to mention #53 (which I just opened) in the context of this issue. I think it would be really awesome if we could block force pushes to PRs. However, if we do that, making sure that people put DCO onto every commit is super important, otherwise it will destroy a PR where someone forgets. IMO DCO will need to get built directly into GH as a first class thing in order to make the workflow not painful (it's actually pretty painful today). |
I'd love to hear what the ideal workflow would be for you. Any examples of tools that do it really well? |
I don't have any examples, as I've just been using DCO now for about a week. But I can tell you my current thoughts based on what I've seen: Right now the flow is very painful as every commit has to manually have the DCO added. If someone forgets on a single commit, the DCO bot fails, and the only possible resolution for the user is to manually rebase the PR to fix the commit message (which is asking a lot) or to squash and force push with DCO. Either way the review history gets messed up badly (see #53). We can have documentation and also a client side commit hook that we ask people to install, but this is high friction for new/infrequent contributors and people forget. As a reviewer this is my biggest pain point right now. My optimal baseline flow would look like:
In a perfect world we would also get the ability to:
I realize the previous two points require a lot of thinking, so would be very happy to just nail the baseline flow first. |
|
+1 on server-side commit hook enforcing DCO (at least for Envoy). This seems a simple change to get us most of the pain out of the way. |
|
I'd be fine with an extra checkbox below the commit message that lets you do the signoff. |
|
I want to enable probot's dco enforcement, but the lack of web ui support will likely cut off a high number of quick edits from communities engaged in my projects. To me, the ideal functionality here is a GitHub account user preference (configurable per repo or per org) for auto-signing signing commits whether via web UI or manual push (+1 to @mattklein123 and @htuch's suggestion). The lack of web UI support here certainly turns away anyone inclined to quickly contribute markdown edits on projects. This inhibits user contribution to documentation and other non-code artifacts (key for much of @caniszczyk's stewarding and organizing within the CNCF). |
|
Has there been any progress on this @bkeepers ? Is there any way we can help move it forward? |
|
@jeffmcaffer may know but right now, you can just manually add the "Signed-off-by: XYZ" as part of the pull request and it works fine |
|
+1 Just got burned by this. |
|
This just burned us, as well, on Hyperledger. |
|
Would love feedback if this helps: I wrote a GitHub Action to edit commits to a pull request with a signature. To try it out add the below to your https://gist.github.com/bdougie/c31ea9f59d9d049a732a046be017eb28 update: I see there is a DCO bot and this action doesn't work well with this. Some tinkering is still needed. |
|
@bdougie Doesn't your concept invalidate the point of the SoB? AFAIU, the SoB is supposed to be the person submitting the patch making personal attestations to the validity/origin and right to submit the patch. As such it seems it needs to be submitted with the patch by the author, not just added at commit time by the SCM server as the SCM doesn't know the origin of the patch and whether it's origin is compatible with the project. It could be copyrighted material after-all and in such a case, the submitter didn't sign it off, GitHub (who really can't/shouldn't) did. |
|
Just burned on this one, even with a Signed-off-by in the commit. |
|
I know @dhuseby is working on DID:GIT to try to obviate some of this |
|
So, I like that we can have DCO added automatically to commits made with the web UI. Now I don't know how to handle users who hide their e-mail address and real name, as this goes against the principles of DCO:
Should we envision an option that would allow an organisation to enforce the use of an actual e-mail address? |
please and thank you |
|
@davidstaheli please enable for these orgs (you should be able to verify my ownership): |
|
Apologies for the long delay.
|
|
How about for goharbor? |
|
@davidstaheli congrats on shipping this feature! 🚢 🎉 I was a supporter when I was at GitHub. We'd love to have the option to trial it at https://github.com/dagger where we use DCO for our open source contribs. Great work team! |
|
@davidstaheli We're currently evaluating the use of a DCO on two organizations. Would you be able the add the preview feature to: https://github.com/containerssh Thanks a bunch for working on this! |
|
@davidstaheli This is probably already in the pipe, but one will need to be able to choose which email to sign off commit suggestions with, in PRs. Currently I don't think you can: |
|
@davidstaheli can you add github.com/cncf to this list too |
|
@davidstaheli https://github.com/buildpacks and https://github.com/kyverno would also greatly benefit from an early preview of this feature. It would be great if you could enable it for these organizations as well :) This is an game-changing feature for almost all of the CNCF projects! (most of them require DCO sign-off) |
Added |
|
Thank you, this feature is great!
…On Mon, Jun 6, 2022 at 3:49 PM Ashley Wolf ***@***.***> wrote:
@davidstaheli <https://github.com/davidstaheli> can you add
github.com/cncf to this list too
Added
—
Reply to this email directly, view it on GitHub
<#50 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAPSIJOQZBXTU64ODV47UTVNZP4FANCNFSM4DF52MBQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Cheers,
Chris Aniszczyk
https://aniszczyk.org
|
@samj1912 added 👍 |
|
Thank you, Ashley. This is great! |
|
So sorry for the big delay while I've been away for 2 weeks. Thanks for helping with these, @ashleywolf! I'll enable this for any that remain on Tuesday, June 7. We also plan to ship the feature publicly - so it will be enabled for everyone - on Wednesday, June 8. |
|
The DCO signoff feature is newly available to the following organizations. Thanks for your patience! See directions below for enabling the feature. It should release publicly (to everyone) tomorrow, Wednesday, June 8.
How to enable required signoffs for an organizationOrganization owners can configure an organization-level setting to require sign off on commits made through the web interface. To do so, click Settings in an organization that you are an owner of. Next, in the navigation under Code, planning, and automation, select Repository and then Repository defaults. Finally, under Commit signoff choose All repositories to require sign off on web-based commits in all repositories in the organization, as shown below. Alternatively, select No policy to disable the setting so that sign off will not be required unless enabled at the repository level.
How to enable required signoffs for a repositoryRepository admins can toggle a similar repository-level setting. To do so, click Settings in a repository that you are an admin of. Next, select General (the default, top-most tab). Then toggle the setting named Require contributors to sign off on web-based commits as shown below. This setting will be overridden by the organization-level setting unless the organization has No policy selected.
|
|
Thank you so much, I really appreciate this happening!
…On Tue, Jun 7, 2022 at 8:14 AM David Staheli ***@***.***> wrote:
The DCO signoff feature is newly available to the following organizations.
Thanks for your patience! See directions below for enabling the feature. It
should release publicly (to everyone) tomorrow, Wednesday, June 8.
- goharbor ***@***.*** <https://github.com/qnetter>)
- dagger ***@***.*** <https://github.com/jpadams>, hello! You'll always
be a Hubber! 😀)
- containerssh, chaos-kubox ***@***.***
<https://github.com/sanjacodes>)
How to enable required signoffs for an organization
Organization owners can configure an organization-level setting to require
sign off on commits made through the web interface. To do so, click
*Settings* in an organization that you are an owner of. Next, in the
navigation under *Code, planning, and automation*, select *Repository*
and then *Repository defaults*. Finally, under *Commit signoff* choose *All
repositories* to require sign off on web-based commits in all
repositories in the organization, as shown below. Alternatively, select *No
policy* to disable the setting so that sign off will not be required
unless enabled at the repository level.
[image: GitHub's organization-level setting for requiring sign off on
commits made in the web interface]
<https://user-images.githubusercontent.com/1767415/172388117-920c9043-c616-49cf-962f-6947c049adcb.png>
How to enable required signoffs for a repository
Repository admins can toggle a similar repository-level setting. To do so,
click *Settings* in a repository that you are an admin of. Next, select
*General* (the default, top-most tab). Then toggle the setting named *Require
contributors to sign off on web-based commits* as shown below. This
setting will be overridden by the organization-level setting unless the
organization has *No policy* selected.
[image: GitHub's repository-level setting for requiring sign off on
commits made in the web interface]
<https://user-images.githubusercontent.com/1767415/172276346-fb4c09a4-2e47-4fd9-ad61-451a008175c7.png>
—
Reply to this email directly, view it on GitHub
<#50 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAPSILNXVNTJH3ME6SWVLDVN5DM3ANCNFSM4DF52MBQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Cheers,
Chris Aniszczyk
https://aniszczyk.org
|
|
Thanks a bunch for all your work! 🙏🏻 |
|
Fantastico! Thanks! |
|
@davidstaheli will there be a github blog post or changelog entry to link too? |
|
Hi, @caniszczyk! Yes, I'll publish an extra-long changelog right when the feature goes live for everyone. It should appear at the URL below. And I'll do my best to post an update here when it happens. |
|
Awesome thank you! Blog post is live! https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/ |
🎊Yes, the feature is now live! Thanks so much for everyone's suggestions and encouragement with this! We'd still like to make improvements and would love to hear ongoing suggestions that you have. A good place to leave feedback is in GitHub's public feedback discussions (General category) or email me at: my GitHub username + "@github.com". Thanks again! |
and others
When you use the web ui in GitHub, there's no option to do the equivalent of (git commit -s) which is required as part of adhering to the DCO. The GitHub web ui should support this workflow :)
The text was updated successfully, but these errors were encountered: