dco: Add dco check

Signed-off-by: Jan Kraemer <[email protected]>

Author: VJanKraemer

.github/workflows/sil-kit-ci.yml

@@ -46,6 +46,18 @@ jobs:
             python3 ./SilKit/ci/check_files_changed.py ${{ github.repository }} ${{ github.event.number }}; \
           fi
 
+  check-dco-signed:
+    name: 🦙 DCO Signing Check
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Check if DCO is signed
+        run:
+          python3 ./SilKit/ci/check_dco_signed.py ${{ github.repository }} ${{ github.event.number }}
+
   check-formatting:
     name: Format checks for SIL Kit sources
     runs-on: ubuntu-24.04
@@ -62,7 +74,7 @@ jobs:
   clang-tidy:
     name: Running clang-tidy
     runs-on: ubuntu-latest
-    needs: [check-run-builds]
+    needs: [check-run-builds, check-dco-signed]
     steps:
       - uses: actions/checkout@v4
         with:
@@ -87,51 +99,51 @@ jobs:
 
   clang14-tsan:
     name: Thread Sanitizer Tests
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     uses: ./.github/workflows/linux-tsan.yml
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   clang14-ubsan:
     name: Undefined Behavior Sanitizer Tests
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     uses: ./.github/workflows/linux-ubsan.yml
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   clang14-asan:
     name: Address Sanitizer Tests
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     uses: ./.github/workflows/linux-asan.yml
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   ubuntu-release-builds:
     uses: ./.github/workflows/build-linux.yml
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   ubuntu-arm-release-builds:
     uses: ./.github/workflows/build-linux-arm64.yml
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   windows-release-builds:
     uses: ./.github/workflows/build-win.yml
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   mingw-release-builds:
     uses: ./.github/workflows/build-mingw64.yml
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}
 
   macos-release-builds:
     uses: ./.github/workflows/build-macos.yml
-    needs: [check-licenses, check-run-builds, check-formatting]
+    needs: [check-licenses, check-run-builds, check-formatting, check-dco-signed]
     with:
       run_build: ${{ needs.check-run-builds.outputs.run_builds == 'true' }}

SilKit/ci/check_dco_signed.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+
+# SPDX-FileCopyrightText: 2025 Vector Informatik GmbH
+#
+# SPDX-License-Identifier: MIT
+
+import requests
+import argparse
+
+from ci_utils import die, warn
+
+
+def check_dco(url: str):
+    commits_url = url + '/commits'
+
+    r = requests.get(commits_url, verify=False)
+
+    all_commits_signed = True
+    for commitObject in r.json():
+        committer = commitObject["commit"]["committer"]
+        author = commitObject["commit"]["author"]
+        message = commitObject["commit"]["message"]
+
+        committer_error = ""
+        author_error = ""
+
+        # Do not check fixup messages
+        if "fixup" not in message:
+
+            # Check committer only if it they are different
+            if committer["email"] != author["email"] or committer["name"] != author["name"]:
+                sign_off = f'Signed-off-by: {committer["name"]} <{committer["email"]}>'
+                if sign_off not in message and committer["name"] != "GitHub":
+                    comitter_error = f'Signed-off-by from committer {committer["name"]} missing! Merging blocked!'
+
+            sign_off = f'Signed-off-by: {author["name"]} <{author["email"]}>'
+            if sign_off not in message:
+                author_error = f'Signed-off-by from author {author["name"]} missing, Merging Blocked!'
+
+            if committer_error or author_error:
+                all_commits_signed = False
+                warn(f'{commitObject["sha"][0:7]}: {author_error} {committer_error}')
+
+    if all_commits_signed is False:
+        die(66, "Not all commits Signed-off by their respective author/committer")
+
+
+def main():
+
+    parser = argparse.ArgumentParser(prog="DCO checker",
+                                     description="Check whether the DCO was signed for a PR")
+    parser.add_argument('repo', type=str)
+    parser.add_argument('PR', type=str)
+    args = parser.parse_args()
+    url = 'https://api.github.com/repos/' + args.repo + '/pulls/' + args.PR
+    check_dco(url)
+
+
+if __name__ == "__main__":
+    main()

SilKit/ci/check_files_changed.py

@@ -8,24 +8,30 @@
 import argparse
 import os
 
-isCI = os.getenv('CI')
-INFO_PREFIX = "::notice ::" if isCI != None else "INFO: "
-WARN_PREFIX = "::warning ::" if isCI != None else "WARNING: "
-ERROR_PREFIX = "::error ::" if isCI != None else "ERROR: "
+from ci_utils import log, isCI
 
-## Convenience
-def log(fmt, *args):
-    print(fmt.format(*args))
 
-def info(fmt, *args):
-    log(INFO_PREFIX + fmt, *args)
+def check_run_build(url: str):
+    run_builds = "false"
+    files_url = url + '/files'
+    r = requests.get(files_url, verify=False)
 
-def warn(fmt, *args):
-    log(WARN_PREFIX + fmt, *args)
+    for fileObject in r.json():
+
+        file_path = fileObject["filename"]
+        file = file_path.split(sep="/")[-1]
+
+        if file not in exceptional_files:
+            run_builds = "true"
+            break
+
+    log("Builds should run: {}".format(run_builds))
+
+    if isCI is not None:
+        log("Setting GITHUB_OUTPUT!")
+        with open(os.environ["GITHUB_OUTPUT"], 'a') as f:
+            print("run_builds={}".format(run_builds), file=f)
 
-def die(status, fmt, *args):
-    log(ERROR_PREFIX + fmt, *args)
-    sys.exit(status)
 
 # File Set
 exceptional_files = {'README.rst', 'latest.md', 'LICENSE', 'CONTRIBUTING.md',
@@ -37,26 +43,8 @@ def die(status, fmt, *args):
 parser.add_argument('PR', type=str)
 args = parser.parse_args()
 
-run_builds = "false"
-
-url = 'https://api.github.com/repos/' + args.repo + '/pulls/' + args.PR + '/files'
+url = 'https://api.github.com/repos/' + args.repo + '/pulls/' + args.PR
 
 log("Checking at {}".format(url))
 
-r = requests.get(url, verify=False)
-
-for fileObject in r.json():
-
-    file_path = fileObject["filename"];
-    file = file_path.split(sep="/")[-1]
-
-    if file not in exceptional_files:
-        run_builds = "true"
-        break
-
-log("Builds should run: {}".format(run_builds))
-
-if isCI != None:
-    log("Setting GITHUB_OUTPUT!")
-    with open(os.environ["GITHUB_OUTPUT"], 'a') as f:
-        print("run_builds={}".format(run_builds), file=f)
+check_run_build(url)

SilKit/ci/ci_utils.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+# SPDX-FileCopyrightText: 2025 Vector Informatik GmbH
+#
+# SPDX-License-Identifier: MIT
+
+import os
+import sys
+
+isCI = os.getenv('CI')
+INFO_PREFIX = "::notice ::" if isCI != None else "INFO: "
+WARN_PREFIX = "::warning ::" if isCI != None else "WARNING: "
+ERROR_PREFIX = "::error ::" if isCI != None else "ERROR: "
+
+
+# Convenience
+def log(fmt, *args):
+    print(fmt.format(*args))
+
+
+def info(fmt, *args):
+    log(INFO_PREFIX + fmt, *args)
+
+
+def warn(fmt, *args):
+    log(WARN_PREFIX + fmt, *args)
+
+
+def die(status, fmt, *args):
+    log(ERROR_PREFIX + fmt, *args)
+    sys.exit(status)