From b94021eb831da4ec6d1609737d5558ee0608727a Mon Sep 17 00:00:00 2001
From: will wade <willwade@gmail.com>
Date: Wed, 17 Jun 2026 13:07:35 +0100
Subject: [PATCH] Add DCO (Developer Certificate of Origin) for all
 contributions

- Add DCO section to org CONTRIBUTING.md with sign-off instructions
- Add DCO checkbox to PR template Definition of Done
- Create DCO GitHub Action workflow that checks all PR commits
  for Signed-off-by trailer
- Replaces the need for a formal CLA going forward

The GPL->MIT relicensing used individual written permissions (held
privately by project stewards). DCO provides ongoing provenance
tracking without that overhead.

Signed-off-by: will wade <willwade@gmail.com>
---
 .github/PULL_REQUEST_TEMPLATE.md |  1 +
 .github/workflows/dco.yml        | 51 ++++++++++++++++++++++++++++++++
 CONTRIBUTING.md                  | 32 ++++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 .github/workflows/dco.yml

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 96d60ea..14e3bb3 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -29,3 +29,4 @@ see the blast radius:
 - [ ] Tests added for new behaviour
 - [ ] Feature matrix updated if this affects a cross-platform capability
 - [ ] Docs / changelog updated if the change is user-facing
+- [ ] Commits are signed off (DCO) — `git commit -s`
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
new file mode 100644
index 0000000..82796f8
--- /dev/null
+++ b/.github/workflows/dco.yml
@@ -0,0 +1,51 @@
+name: DCO
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dco:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check Signed-off-by on all commits
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+          commits=$(git rev-list --no-merges "$BASE_SHA".."$HEAD_SHA")
+          missing=0
+          for sha in $commits; do
+            body=$(git log -1 --format='%B' "$sha")
+            if ! echo "$body" | grep -qE '^Signed-off-by: .+ <.+@.+>'; then
+              short=$(git rev-parse --short "$sha")
+              subject=$(git log -1 --format='%s' "$sha")
+              echo "::error file=::Missing Signed-off-by on commit $short ($subject)"
+              missing=$((missing + 1))
+            fi
+          done
+          if [ "$missing" -gt 0 ]; then
+            echo ""
+            echo "❌ $missing commit(s) missing Signed-off-by."
+            echo ""
+            echo "To fix, rebase with signoff:"
+            echo "  git rebase --signoff origin/\${{ github.base_ref }}"
+            echo "  git push --force-with-lease"
+            echo ""
+            echo "Or amend the last commit:"
+            echo "  git commit --amend -s --no-edit"
+            echo ""
+            echo "See: https://developercertificate.org/"
+            exit 1
+          fi
+          echo "✅ All commits have Signed-off-by"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 310b429..ac78f82 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -46,4 +46,36 @@ A pull request is ready to merge when:
 - **Small, focused PRs** are easier to review and land faster.
 - **Talk to us first** for big changes — open an issue or an RFC.
 
+## Developer Certificate of Origin (DCO)
+
+All contributions to the Dasher project must be signed off under the
+[Developer Certificate of Origin](https://developercertificate.org/). This is
+a lightweight alternative to a CLA — it affirms that you wrote (or have the
+right to submit) the code you're contributing.
+
+**How to sign off:** add `-s` (or `--signoff`) to your commit command:
+
+```sh
+git commit -s -m "your commit message"
+```
+
+This adds a `Signed-off-by:` trailer to the commit message automatically. If
+you forgot, you can amend:
+
+```sh
+git commit --amend -s --no-edit
+```
+
+For an existing PR with multiple unsigned commits, rebase with signoff:
+
+```sh
+git rebase --signoff BASE_BRANCH
+git push --force-with-lease
+```
+
+> **Why DCO instead of a CLA?** Dasher is MIT-licensed and community-driven. A
+> full CLA adds legal friction for volunteers. The DCO achieves provenance
+> tracking with a single line, and is the same model used by the Linux kernel,
+> Git, and many other open-source projects.
+
 _This file is the organisation-wide default. Individual repositories may add their own `CONTRIBUTING.md` with platform-specific build steps and rules, which take precedence here._