diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 88660b1e5..53339f4bf 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -38,7 +38,7 @@ jobs: path-to-signatures: "dco-signatures.json" path-to-document: "https://github.com/NVIDIA/OpenShell/blob/main/DCO" branch: "signatures" - allowlist: dependabot + allowlist: "dependabot[bot]" create-file-commit-message: "chore: create file to store dco signatures" signed-commit-message: "chore: $contributorName has signed the dco in #$pullRequestNo" custom-notsigned-prcomment: >- diff --git a/CI.md b/CI.md index 6b0d9bcfb..57e6627ed 100644 --- a/CI.md +++ b/CI.md @@ -21,7 +21,7 @@ Both are required to merge once the corresponding `E2E Gate` checks are marked r copy-pr-bot decides whether to mirror a PR automatically based on whether the author is trusted. For org members and collaborators, "trusted" means **all commits in the PR are cryptographically signed**. Unsigned commits, even from an org member, force the bot to wait for a maintainer's `/ok to test `. -DCO sign-off (`-s` / `Signed-off-by`) is a separate requirement and does not count as commit signing. +DCO sign-off (`-s` / `Signed-off-by`) is a separate requirement and does not count as commit signing. Dependabot-authored dependency update PRs are allowlisted in DCO Assistant because the bot cannot sign commits. ### One-time setup with an SSH key diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0121ad608..5c091c6c4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -271,7 +271,7 @@ chore(deps): bump tokio to 1.40 ### DCO -All contributions must include a `Signed-off-by` line in each commit message. This certifies you have the right to submit the work under the project license. See the [Developer Certificate of Origin](https://developercertificate.org/). +All human contributions must include a `Signed-off-by` line in each commit message. This certifies you have the right to submit the work under the project license. See the [Developer Certificate of Origin](https://developercertificate.org/). Dependabot-authored dependency update PRs are allowlisted because the bot cannot sign commits. ```bash git commit -s -m "feat(sandbox): add new capability"