Skip to content

Add Signed-off-by and Assisted-By rules#141

Open
jasnell wants to merge 2 commits intonodejs:mainfrom
jasnell:jasnell/add-signed-off-by-rule
Open

Add Signed-off-by and Assisted-By rules#141
jasnell wants to merge 2 commits intonodejs:mainfrom
jasnell:jasnell/add-signed-off-by-rule

Conversation

@jasnell
Copy link
Copy Markdown
Member

@jasnell jasnell commented Mar 28, 2026

Add validation rules for Signed-off-by and Assisted-by footers.

@aduh95 aduh95 mentioned this pull request Mar 28, 2026
Closed
aduh95
aduh95 reviewed Mar 28, 2026
View reviewed changes
aduh95
aduh95 reviewed Mar 28, 2026
View reviewed changes
@aduh95
Copy link
Copy Markdown
Contributor

aduh95 commented Mar 28, 2026

Adding agenda for visibility, and to make sure we have consensus

@jasnell jasnell force-pushed the jasnell/add-signed-off-by-rule branch 2 times, most recently from 08ced09 to 34ca655 Compare March 28, 2026 22:14
mcollina
mcollina approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@openjs-meetings-bot openjs-meetings-bot bot mentioned this pull request Mar 29, 2026
Open
@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 29, 2026

@nodejs/tsc ... please take a look

For background (in case you're unfamiliar)... When Linux Kernel first introduced the DCO, they established the convention of using Signed-off-by metadata in each commit as the way of acknowledging and attesting to the DCO for each commit. Use of Signed-off-by is the defacto standard mechanism. Node.js adopted the DCO over a decade ago but never enforced this convention. It's well past time to do so.

To add the attestation, simply pass -s when committing, e.g. git commit -s.

The change in this PR will enforce the presence of Signed-off-by in all commits moving foward. The format is name <email>. The rule will enforce that the <email> is a properly formatted email address.

@targos
Copy link
Copy Markdown
Member

targos commented Mar 30, 2026

How is it going to work for automated PRs like dependencies updates?

@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 30, 2026

It checks and warns for those. Bots technically aren't supposed to include Signed-off-by attestation but they still do. The check accounts for that. It'll have a warning about it.

@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 30, 2026

@targos ... your question does make me wonder if we should just have this warn for everything at first, rather than fail outright, just in case there are cases I didn't account for correctly... But I did try to account for the known bots (like dependabot) that adds attestations.... /me second-guessing

@targos
Copy link
Copy Markdown
Member

targos commented Mar 30, 2026

Dependabot adds the attestation, but our bot doesn't: nodejs/node#62384

jasnell
jasnell commented Mar 30, 2026
View reviewed changes
@jasnell jasnell force-pushed the jasnell/add-signed-off-by-rule branch from 34ca655 to 6757d88 Compare March 30, 2026 14:52
@aduh95
Copy link
Copy Markdown
Contributor

aduh95 commented Mar 30, 2026

Before enabling this on nodejs/node, we should probably update the commit message guidelines to clarify what it means and that it's now mandatory.

@jasnell jasnell mentioned this pull request Mar 30, 2026
Open
@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 30, 2026

@aduh95 ... nodejs/node#62510

jasnell added 2 commits March 30, 2026 13:29
@jasnell
Add Signed-off-by rule
9b9d2f1 
Signed-off-by: James M Snell <[email protected]>
Assisted-By: Opencode/Opus 4.6
@jasnell
Add Assisted-By trailer rule
c7525dd 
Signed-off-by: James M Snell <[email protected]>
Assisted-By: Opencode/Opus 4.6
@jasnell jasnell force-pushed the jasnell/add-signed-off-by-rule branch from 6757d88 to c7525dd Compare March 30, 2026 20:30
@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 30, 2026

Ok the rule has been updated such that commits with the deps subsystem and backport commits do not require Signed-off-by. If a commit includes multiple subsystems other the deps, then it'll warn if no Signed-off-by is present.

/cc @aduh95

@aduh95
Copy link
Copy Markdown
Contributor

aduh95 commented Mar 30, 2026

I had a look at the recent commits to see if I could find some other counter example, I found nodejs/node@1baafcc, which, if it were made by a human, would be weird to sign off – but thinking more about it, we should probably simply refuse non-bot contributions there

@jasnell
Copy link
Copy Markdown
Member Author

jasnell commented Mar 30, 2026
edited
Loading

Yeah, I think those really should likely be bot updates for those. We could special case them, however... for now, let's keep it as is, requiring the Signed-off-by for these and if we can work out a better way to handle them we'll adjust.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aduh95 aduh95 aduh95 left review comments

@mcollina mcollina mcollina approved these changes

@ShogunPanda ShogunPanda ShogunPanda approved these changes

@anonrig anonrig anonrig approved these changes

@ronag ronag ronag approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@ruyadorno ruyadorno Awaiting requested review from ruyadorno

Assignees

No one assigned

Labels

tsc-agenda

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@jasnell @aduh95 @targos @mcollina @ShogunPanda @anonrig @ronag @RafaelGSS @marco-ippolito