Skip to content

chore: add CLA + DCO enforcement and community health files#30

Merged
mislavivanda merged 4 commits into
mainfrom
opencode/witty-nebula
Jul 15, 2026
Merged

chore: add CLA + DCO enforcement and community health files#30
mislavivanda merged 4 commits into
mainfrom
opencode/witty-nebula

Conversation

@mislavivanda

@mislavivanda mislavivanda commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary by cubic

Adds CLA and DCO enforcement to gate merges and streamlines contributions with community health files and CODEOWNERS. Hardens workflows to reduce race conditions and false positives.

  • New Features

    • CLA assistant stores signatures on the cla-signatures branch and sets a status check; serializes writes with a repo-wide concurrency group and locks PRs only after merge; allowlists trusted bots.
    • DCO workflow validates Signed-off-by on every commit and sets a DCO status; parses only the trailer block (via git interpret-trailers), skips merge commits, and allowlists bots by resolved GitHub login.
    • Added CODEOWNERS, issue templates (bug/feature), and a PR template with legal checks; CODEOWNERS sets @aprojic and @mislavivanda as co-owners for legal/security files and CLA/DCO workflows, while general CI workflows stay with @mislavivanda.
    • Added docs: CLA.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md, COPYRIGHT, NOTICE; aligned wording in CONTRIBUTING.md and README.md (“no more than one package or app”, “dependency manifest”) and clarified DCO sign-off must match the commit author email.
  • Migration

    • Contributors: sign the CLA on your first PR (reply with the provided phrase) and use git commit -s on every commit; the sign-off email must match the commit author.
    • Maintainers: require both checks in branch protection (CLA signed, DCO), and ensure the cla-signatures branch exists and allows pushes by the default GITHUB_TOKEN.

Written for commit 73d71ac. Summary will update on new commits.

Review in cubic

Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 12 files

You’re at about 96% of the monthly reviewed-line limit. You may want to disable incremental reviews to conserve quota. Reviews will continue until that limit is exceeded. If you need help avoiding interruptions, please contact contact@cubic.dev.

Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic

Comment thread COPYRIGHT
Comment thread .github/workflows/dco.yml
Comment thread .github/workflows/dco.yml
Comment thread .github/workflows/dco.yml
Comment thread COPYRIGHT
Comment thread CONTRIBUTING.md Outdated
Comment thread CONTRIBUTING.md Outdated
Comment thread .github/ISSUE_TEMPLATE/bug_report.md Outdated
Comment thread .github/pull_request_template.md Outdated
Comment thread CONTRIBUTING.md Outdated
- dco.yml: parse sign-offs with `git interpret-trailers` so a loose
  "Signed-off-by:" line outside the trailer block no longer counts; clarify
  the bot allowlist uses GitHub's resolved author login (not forgeable).
- cla.yml: add a repo-wide concurrency group so concurrent signatures don't
  race on the shared signatures file; don't lock a PR that is closed unmerged
  (lock only after merge).
- CONTRIBUTING.md: apps aren't published to a registry; scope PRs to one
  package or app; "dependency manifest" not lockfile; DCO matches author email.
- PR/issue templates: "no more than one package/app"; environment details are
  requested, not enforceable in a Markdown template.

Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 5 files (changes from recent commits).

You’re at about 97% of the monthly reviewed-line limit. You may want to disable incremental reviews to conserve quota. Reviews will continue until that limit is exceeded. If you need help avoiding interruptions, please contact contact@cubic.dev.

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread CONTRIBUTING.md Outdated
Comment thread CONTRIBUTING.md Outdated
Follow-up to review: use "no more than one package or app" in CONTRIBUTING.md
(so docs/repo-wide PRs like this one are in-scope) and mirror it in README.md;
also drop the "lockfile" wording in README in favor of "dependency manifest".

Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
@mislavivanda
mislavivanda force-pushed the opencode/witty-nebula branch from 65b23e0 to 8f9345e Compare July 14, 2026 14:25
@mislavivanda
mislavivanda requested a review from aprojic July 14, 2026 14:27
…files

Adds @aprojic alongside @mislavivanda for SECURITY.md, CODE_OF_CONDUCT.md,
CLA.md, LICENSE, COPYRIGHT, NOTICE, the CLA/DCO enforcement workflows, and
CODEOWNERS itself. General CI workflows stay with @mislavivanda to avoid
pinging the CISO on routine CI changes.

Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
@mislavivanda
mislavivanda merged commit cecb688 into main Jul 15, 2026
11 checks passed
@mislavivanda
mislavivanda deleted the opencode/witty-nebula branch July 15, 2026 09:15
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 15, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants