Skip to content

docs: add Signed-off-by check for pull requests#20

Closed
SToPire wants to merge 1 commit intoerofs:mainfrom
SToPire:main
Closed

docs: add Signed-off-by check for pull requests#20
SToPire wants to merge 1 commit intoerofs:mainfrom
SToPire:main

Conversation

@SToPire
Copy link
Member

@SToPire SToPire commented Mar 10, 2026

Add a dedicated GitHub Actions workflow to check all commits in a pull request for a valid Signed-off-by trailer and fail the check when any commit is missing it.

Also document that pull requests will be blocked until the missing Signed-off-by trailer is fixed.

Assisted-by: Codex (GPT 5.4)

@SToPire
docs: add Signed-off-by check for pull requests
37eeaad 
Add a dedicated GitHub Actions workflow to check all commits in a
pull request for a valid Signed-off-by trailer and fail the check when
any commit is missing it.

Also document that pull requests will be blocked until the missing
Signed-off-by trailer is fixed.

Assisted-by: Codex (GPT 5.4)
Signed-off-by: Yifan Zhao <yifan.yfzhao@foxmail.com>
Copilot AI review requested due to automatic review settings March 10, 2026 09:20
@SToPire
Copy link
Member Author

SToPire commented Mar 10, 2026

Seems the check works normally in this PR. For a blocked PR see [1].

[1] SToPire#3

Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces automated enforcement of DCO-style Signed-off-by: trailers for pull requests, and updates the developer documentation to note that missing sign-offs will block PRs.

Changes:

  • Add a new GitHub Actions workflow that inspects all PR commits for a Signed-off-by: line and fails the check if any are missing it.
  • Add a merge-queue compatibility path for the workflow via a merge_group trigger.
  • Update developer docs to explicitly state that PRs are blocked until missing sign-offs are fixed.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/developers.md Documents that PRs are automatically checked for a valid Signed-off-by: trailer and blocked if missing.
.github/workflows/commit_signoff.yml Adds an Actions workflow to validate sign-off trailers on PR commits and report results in the job summary.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/commit_signoff.yml
Comment on lines +72 to +76
- name: Report merge queue compatibility
if: ${{ github.event_name == 'merge_group' }}
run: |
echo "Signed-off-by is enforced on pull_request workflows."
echo "This merge_group run reports the required status for merge queue compatibility."
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The merge_group path is currently a no-op (it always exits successfully) so this workflow will report success in the merge queue even when a PR’s commits are missing a Signed-off-by trailer. If this check is marked as required for merge queue, that can effectively bypass the intended enforcement. Consider performing the same validation during merge_group (e.g., checkout the merge_group ref and validate commit messages in the head range), or remove merge_group from this workflow and ensure branch protection requires the pull_request run instead.

Copilot uses AI. Check for mistakes.
.github/workflows/commit_signoff.yml
Comment on lines +36 to +38
const trailerPattern = /^Signed-off-by:\s+.+\s+<[^<>]+>$/im;
const missing = commits.filter(({ commit }) => !trailerPattern.test(commit.message));

Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Signed-off-by detection regex will treat any line starting with “Signed-off-by:” anywhere in the commit message as valid, even if it appears in the body (e.g., quoted text) rather than as a trailer/footer. That can lead to false positives and undermines the “trailer” requirement. Consider validating only the trailer block at the end of the commit message (e.g., scan upward from the end after the last blank line, or use a trailer parser strategy) instead of a whole-message regex match.

Suggested change
const trailerPattern = /^Signed-off-by:\s+.+\s+<[^<>]+>$/im;
const missing = commits.filter(({ commit }) => !trailerPattern.test(commit.message));
const hasValidSignedOffTrailer = (message) => {
if (typeof message !== 'string') {
return false;
}
const lines = message.split('\n');
// Find the last non-empty line
let i = lines.length - 1;
while (i >= 0 && lines[i].trim() === '') {
i--;
}
if (i < 0) {
return false;
}
// Collect the trailer block (continuous non-empty lines at the end)
const trailerLines = [];
for (; i >= 0 && lines[i].trim() !== ''; i--) {
trailerLines.unshift(lines[i]);
}
const trailerPattern = /^Signed-off-by:\s+.+\s+<[^<>]+>$/;
return trailerLines.some((line) => trailerPattern.test(line));
};
const missing = commits.filter(({ commit }) => !hasValidSignedOffTrailer(commit.message));

Copilot uses AI. Check for mistakes.
@SToPire
Copy link
Member Author

SToPire commented Mar 10, 2026

already a DCO here. close it

@SToPire SToPire closed this Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SToPire