The DCO is a per-commit sign-off made by a contributor stating that they agree to the terms published at https://developercertificate.org/ for that particular contribution.
When creating a commit with the Git CLI, a sign-off can be added with the -s
option: https://git-scm.com/docs/git-commit#git-commit--s. The sign-off is stored as part of the commit message itself, as a line of the format:
Signed-off-by: Full Name <email>
DCO sign-offs differ from contributor agreements (CLAs):
GitHub uses status checks (similar to CI pass/fail) against new Pull Requests to ensure that contributions which fail DCO validation will not be merged into a DCO-protected branch (usually “master”).
Log in as user with Owner rights to a GitHub organization. Browse to the URL https://github.com/apps/dco and hit the “Install” (or “Configure”) button. Select the organization to install it to. Select “All repositories”.
Browse to the settings for each repository in that organization. Choose “Branches” from the menu. If “master” does not show up under Protected Branches, select it from the “Choose a branch” drop-down. Enable “Protect this branch”, “Require status checks to pass before merging” (and check the “DCO” status check if it is available). Repeat for the remaining repositories.
To complete the configuration, you should return to the master branch protection screen—on each repository—to check “DCO” after this status check has been seen by GitHub.
TBD
Unlike GitHub, which allows a contributor to create a Pull Request but marks it as failing checks, Gerrit will not even accept a changeset unless the commit(s) in that changeset pass DCO.
The project.config file must have the following configuration set, or inherited from a parent repository:
[receive] requireSignedOffBy = true