DCO on GitHub
FINOS software projects use the Developer Certificate of Origin (DCO) by default. Contributors certify their commits by adding a Signed-off-by line to each commit message (for example with git commit -s). For background on DCO compared with CLA, see CLA vs. DCO on OSR.
This page describes how to enforce DCO on GitHub using DCO2—the GitHub App that checks pull requests for valid sign-offs (a successor to the classic DCO bot).
Install DCO2
- Install and configure the DCO2 GitHub App for your FINOS organization or for the repositories that should enforce DCO.
- After installation, DCO2 reports a status check on each pull request indicating whether every commit includes a valid
Signed-off-byline.
See the DCO2 documentation for details on check output, remediation commits, and optional .github/dco.yml configuration.
Require the check in branch protection
To actually block merges when sign-offs are missing, enable branch protection on your default branch (and other protected branches as needed) and require the DCO2 status check to pass before merging. See GitHub’s guide on required status checks and protected branches.
Maintainer policy: do not bypass DCO
DCO2 may show a “Set DCO to pass” control on failed checks. Maintainers must not use this to mark a pull request as passing when commits are not properly signed off. Doing so undermines the policy FINOS relies on for contribution provenance. If DCO2’s override remains visible in your repository, treat it as unsupported for routine use; FINOS may remove or hide this option over time.
Projects that want to hide the override UI entirely can set allowOverrideAction: false in .github/dco.yml as described in the DCO2 README (note that this only affects the app’s button—not all ways a repository could be misconfigured).
Getting help
For DCO2 behavior, open an issue on cncf/dco2. For FINOS policy questions, contact help@finos.org.