Skip to content

governance: enforce DCO and document continuity checks#208

Open
TFT444 wants to merge 1 commit into
devfrom
governance/205-dco-continuity
Open

governance: enforce DCO and document continuity checks#208
TFT444 wants to merge 1 commit into
devfrom
governance/205-dco-continuity

Conversation

@TFT444

@TFT444 TFT444 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements the repository-controlled parts of #205.

  • adopts DCO 1.1 as the contribution authorization mechanism
  • adds a dependency-free PR check requiring a valid Signed-off-by trailer on every introduced commit
  • documents contributor sign-off and repair instructions
  • adds the DCO requirement to the pull request checklist
  • adds an owner-verifiable continuity capability matrix and six-month review process
  • adds regression tests for valid, missing, malformed, and mixed commit sign-offs

Validation

  • 3 DCO helper tests pass
  • this PR commit passes the new DCO checker
  • Ruff and formatting pass
  • workflow YAML parses successfully
  • git diff --check passes

Owner confirmation still required

Issue #205 must remain open until an organization owner privately verifies that at least two people can administer issues, merge approved work, publish/recover releases, and recover critical organization/deployment access. Documentation cannot prove that underlying access state.

Advances #205

Signed-off-by: Tanvir Farhad <tamimtarafder12@gmail.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1020 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 6branch protection is not maximal on development and all release branches

Scanned Files

  • .github/workflows/dco.yml

@TFT444
TFT444 requested review from m-khan-97 and removed request for parthrohit22 and ritiksah141 July 16, 2026 15:45
@TFT444 TFT444 self-assigned this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant