chore: add CLA + DCO enforcement and community health files#30
Conversation
Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
There was a problem hiding this comment.
All reported issues were addressed across 12 files
You’re at about 96% of the monthly reviewed-line limit. You may want to disable incremental reviews to conserve quota. Reviews will continue until that limit is exceeded. If you need help avoiding interruptions, please contact contact@cubic.dev.
Tip: instead of fixing issues one by one fix them all with cubic
Re-trigger cubic
- dco.yml: parse sign-offs with `git interpret-trailers` so a loose "Signed-off-by:" line outside the trailer block no longer counts; clarify the bot allowlist uses GitHub's resolved author login (not forgeable). - cla.yml: add a repo-wide concurrency group so concurrent signatures don't race on the shared signatures file; don't lock a PR that is closed unmerged (lock only after merge). - CONTRIBUTING.md: apps aren't published to a registry; scope PRs to one package or app; "dependency manifest" not lockfile; DCO matches author email. - PR/issue templates: "no more than one package/app"; environment details are requested, not enforceable in a Markdown template. Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
There was a problem hiding this comment.
All reported issues were addressed across 5 files (changes from recent commits).
You’re at about 97% of the monthly reviewed-line limit. You may want to disable incremental reviews to conserve quota. Reviews will continue until that limit is exceeded. If you need help avoiding interruptions, please contact contact@cubic.dev.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Follow-up to review: use "no more than one package or app" in CONTRIBUTING.md (so docs/repo-wide PRs like this one are in-scope) and mirror it in README.md; also drop the "lockfile" wording in README in favor of "dependency manifest". Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
65b23e0 to
8f9345e
Compare
…files Adds @aprojic alongside @mislavivanda for SECURITY.md, CODE_OF_CONDUCT.md, CLA.md, LICENSE, COPYRIGHT, NOTICE, the CLA/DCO enforcement workflows, and CODEOWNERS itself. General CI workflows stay with @mislavivanda to avoid pinging the CISO on routine CI changes. Signed-off-by: Mislav Ivanda <mislavivanda454@gmail.com>
Summary by cubic
Adds CLA and DCO enforcement to gate merges and streamlines contributions with community health files and
CODEOWNERS. Hardens workflows to reduce race conditions and false positives.New Features
cla-signaturesbranch and sets a status check; serializes writes with a repo-wide concurrency group and locks PRs only after merge; allowlists trusted bots.Signed-off-byon every commit and sets aDCOstatus; parses only the trailer block (viagit interpret-trailers), skips merge commits, and allowlists bots by resolved GitHub login.CODEOWNERS, issue templates (bug/feature), and a PR template with legal checks;CODEOWNERSsets@aprojicand@mislavivandaas co-owners for legal/security files and CLA/DCO workflows, while general CI workflows stay with@mislavivanda.CLA.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,SECURITY.md,COPYRIGHT,NOTICE; aligned wording inCONTRIBUTING.mdandREADME.md(“no more than one package or app”, “dependency manifest”) and clarified DCO sign-off must match the commit author email.Migration
git commit -son every commit; the sign-off email must match the commit author.CLA signed,DCO), and ensure thecla-signaturesbranch exists and allows pushes by the defaultGITHUB_TOKEN.Written for commit 73d71ac. Summary will update on new commits.