Skip to content

Signed Developer Certificate of Origins for the Carbon Design System.

License

Notifications You must be signed in to change notification settings

carbon-design-system/carbon-dco

Repository files navigation

Carbon DCO

Signed Developer Certificate of Origins for the Carbon Design System.

Overview

Per the Open Source @ IBM guidance, the Carbon Design System uses a Developer Certificate of Origin (DCO) to ensure that intellectual property received through contributions is acceptable. DCOs are a lightweight alternative to Contributor License Agreements (CLAs) that serve the same purpose.

The Carbon Design System uses the standard Linux-style DCO and as such, IBM employees do not need IBM Legal review prior to signing.

Instead of including a signoff in every commit, this GitHub Action ensures that all committers have signed the DCO through a special GitHub pull request comment, as a merge-blocking mechanism.

Files

This repository primarily houses two files.

dco.md - the DCO

dco-signatures.json - the saved consents on a per-repository basis

Installation

Step 1) carbon-bot personal access token

Contact a member of the Carbon team to add a PERSONAL_ACCESS_TOKEN for carbon-bot as a secret in your repository settings.

Step 2) Add workflow file .github/workflows/dco.yml

Use the following in that file and configure:

  • allowlist - GitHub usernames to bypass the DCO signature requirement. Comma-separate the names and wildcard symbols are available, e.g. bot* to allow all bot users.

The cla-assistant/github-action documentation specifies all inputs, but they should not be modified from below as we're using the carbon-design-system/carbon-dco repository to save signatures across many Carbon repositories.

name: "DCO Assistant"
on:
  issue_comment:
    types: [created]
  pull_request_target:
    types: [opened, closed, synchronize]

jobs:
  DCO:
    runs-on: ubuntu-latest
    steps:
      - name: "DCO Assistant"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target'
        uses: cla-assistant/github-action@v2.1.2-beta
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: "dco-signatures.json"
          path-to-document: "https://github.com/carbon-design-system/carbon-dco/blob/main/dco.md"
          branch: "main"
          allowlist: dependabot,kodiakhq
          remote-organization-name: carbon-design-system
          remote-repository-name: carbon-dco
          create-file-commit-message: "chore: create file to store dco signatures"
          signed-commit-message: "chore: $contributorName has signed the dco in #$pullRequestNo"
          custom-notsigned-prcomment: "Thanks for your submission! We ask that $you sign our [Developer Certificate of Origin](https://github.com/carbon-design-system/carbon-dco/blob/main/dco.md) before we can accept your contribution. You can sign the DCO by adding a comment below using this text:"
          custom-pr-sign-comment: "I have read the DCO document and I hereby sign the DCO."
          custom-allsigned-prcomment: "All contributors have signed the DCO."
          lock-pullrequest-aftermerge: false
          use-dco-flag: true

Usage

Once installed, the GitHub Action will prompt contributors on how to sign the DCO if it's not yet been signed.

About

Signed Developer Certificate of Origins for the Carbon Design System.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published