frmscoe · Sandy-at-Tazama · Apr 6, 2026 · Apr 6, 2026
@@ -22,9 +22,12 @@ jobs:
         fetch-depth: 0  # Fetch all history for all branches to ensure complete commit history is available
 
     - name: Set up environment variables
+      env:
+        PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+        PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
       run: |
-        echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
-        echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+        printf 'BASE_BRANCH=%s\n' "$PR_BASE_REF" >> "$GITHUB_ENV"
+        printf 'HEAD_BRANCH=%s\n' "$PR_HEAD_REF" >> "$GITHUB_ENV"
 
     # Step to check each commit in the pull request for a Signed-off-by line
     - name: Check for DCO Sign-off
@@ -33,8 +36,8 @@ jobs:
         base_branch=$BASE_BRANCH
         head_branch=$HEAD_BRANCH
 
-        # Get the list of commit hashes between the head branch and base branch
-        commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch})
+        # Get the list of commit hashes introduced by this PR (head commits not yet in base)
+        commits=$(git log --pretty=format:%H origin/${base_branch}..origin/${head_branch})
         non_compliant_commits=""
 
         # Loop through each commit and check for the Signed-off-by line

@@ -21,11 +21,16 @@ jobs:
         fetch-depth: 0  # Fetch all history for all branches to ensure we have the full commit history
 
     - name: Set up environment variables
+      env:
+        PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+        PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
       run: |
-        echo "PR_HEAD_REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
-        echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
-        echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
-        echo "GITHUB_REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
+        printf 'PR_HEAD_REF=%s\n' "$PR_HEAD_REF" >> "$GITHUB_ENV"
+        printf 'PR_BASE_REF=%s\n' "$PR_BASE_REF" >> "$GITHUB_ENV"
+        printf 'GITHUB_TOKEN=%s\n' "$GH_TOKEN" >> "$GITHUB_ENV"
+        printf 'GITHUB_REPOSITORY=%s\n' "$GH_REPO" >> "$GITHUB_ENV"
 
     - name: Check GPG verification status  # Step to check each commit for GPG signature verification
       run: |
@@ -47,5 +52,7 @@ jobs:
 
           # If the commit is not verified, list it and exit with a non-zero status
           if [[ "$verified" != "true" ]]; then
+            echo "GPG signature verification failed for commit $commit."
+            exit 1
           fi
         done
@@ -23,7 +23,7 @@ jobs:
     steps:
       # Step to check out the repository code.
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Step to set up environment variables required for the script.
       - name: Set up environment variables

@@ -18,7 +18,7 @@ jobs:
     steps:
       # Checkout the main branch with all history
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: main
           fetch-depth: 0 # Fetch all tags
@@ -68,7 +68,7 @@ jobs:
           fi
 
           echo "Release Type: $RELEASE_TYPE"
-          echo "::set-output name=release_type::$RELEASE_TYPE"
+          echo "release_type=$RELEASE_TYPE" >> "$GITHUB_OUTPUT"
 
       # Bump the version based on the determined release type
       - name: Bump Version
@@ -98,7 +98,7 @@ jobs:
 
           NEW_VERSION="v$MAJOR.$MINOR.$PATCH"
           echo "New Version: $NEW_VERSION"
-          echo "::set-output name=new_version::$NEW_VERSION"
+          echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
 
       # Get the milestone details
       - name: Get Milestone Details
@@ -110,9 +110,13 @@ jobs:
           MILESTONE_TITLE=$(echo "$MILESTONE_RESPONSE" | jq -r '.title')
           MILESTONE_DESCRIPTION=$(echo "$MILESTONE_RESPONSE" | jq -r '.description')
           MILESTONE_DATE=$(echo "$MILESTONE_RESPONSE" | jq -r '.due_on')
-          echo "::set-output name=milestone_title::$MILESTONE_TITLE"
-          echo "::set-output name=milestone_description::$MILESTONE_DESCRIPTION"
-          echo "::set-output name=milestone_date::$MILESTONE_DATE"
+          echo "milestone_title=$MILESTONE_TITLE" >> "$GITHUB_OUTPUT"
+          {
+            echo 'milestone_description<<EOF'
+            echo "$MILESTONE_DESCRIPTION"
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+          echo "milestone_date=$MILESTONE_DATE" >> "$GITHUB_OUTPUT"
 
       # Generate the changelog based on commit messages and labels
       - name: Generate Changelog
@@ -199,13 +203,17 @@ jobs:
           # Append non-labeled commits to the changelog file
           append_non_labeled_commits
 
-          echo "::set-output name=changelog_file::$CHANGELOG_FILE"
+          echo "changelog_file=$CHANGELOG_FILE" >> "$GITHUB_OUTPUT"
 
       # Read changelog contents into a variable
       - name: Read Changelog Contents
         id: read_changelog
         run: |
-          echo "::set-output name=changelog_contents::$(cat /home/runner/work/changelog.txt)"
+          {
+            echo 'changelog_contents<<EOF'
+            cat /home/runner/work/changelog.txt
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
 
       # Display changelog
       - name: Display Changelog
@@ -231,16 +239,12 @@ jobs:
           draft: false
           prerelease: false
 
-      - name: Get Latest Release
-        run: |
-          echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV
-          echo "The latest release tag is $LATEST_RELEASE"
-
       - name: Send Slack Notification
+        continue-on-error: true
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         run: |
-          curl -X POST -H 'Content-type: application/json' --data '{
+          curl --fail -sS -X POST -H 'Content-type: application/json' --data '{
             "blocks": [
               {
                 "type": "header",
@@ -259,9 +263,9 @@ jobs:
                   },
                   {
                     "type": "mrkdwn",
-                    "text": "*Release:*\n<https://github.com/${{ github.repository }}/releases/tag/${{ env.LATEST_RELEASE }}|Release notes>"
+                    "text": "*Release:*\n<https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump_version.outputs.new_version }}|Release notes>"
                   }
                 ]
               }
             ]
-          }' ${{ secrets.SLACK_WEBHOOK_URL }}
+          }' "$SLACK_WEBHOOK_URL"
@@ -39,7 +39,7 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-# Publish results (badge + REST API) on main, schedule, and branch_protection_rule events.
+          # Publish results (badge + REST API) on main, schedule, and branch_protection_rule events.
           publish_results: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'branch_protection_rule' }}
 
       - name: "Upload artifact"

@@ -1,9 +1,73 @@
 # `dco-check.yml`
 
-> This workflow is distributed from [`tazama-lf/workflows`](https://github.com/tazama-lf/workflows) without modification. For full documentation — including trigger details, job steps, required secrets, and known limitations — see:
->
-> **[`workflow-docs/dco-check.md` in tazama-lf/workflows](https://github.com/tazama-lf/workflows/blob/dev/workflow-docs/dco-check.md)**
+## Purpose
 
-## frmscoe-specific notes
+Checks that every commit in a pull request includes a `Signed-off-by:` line, enforcing Developer Certificate of Origin (DCO) compliance across all contributions.
 
-⚠️ The `git log` range in this workflow is reversed — it checks commits in the base branch that are not in the head branch, rather than the PR's new commits. DCO sign-off is not currently being verified correctly. This is a known issue tracked in [tazama-lf/workflows#37](https://github.com/tazama-lf/workflows/issues/37).
+---
+
+## Trigger
+
+| Event | Conditions |
+|-------|-----------|
+| `pull_request` | all types |
+
+---
+
+## Execution Context
+
+| Property | Value |
+|----------|-------|
+| Runner | `ubuntu-latest` |
+| Typical duration | ~20 s |
+| Concurrency | none |
+| Permissions | default |
+
+---
+
+## Jobs
+
+### `dco` — DCO
+
+**Steps:**
+
+1. `actions/checkout@v4` — full history fetch (`fetch-depth: 0`)
+2. `Set up environment variables` — captures `BASE_BRANCH` and `HEAD_BRANCH` from PR context
+3. `Check for DCO Sign-off` — iterates commits between head and base; fails listing non-compliant SHAs
+
+---
+
+## Required Secrets
+
+None.
+
+---
+
+## Sync Distribution
+
+| Group | Behaviour |
+|-------|----------|
+| All `REPOS` | Receives this file |
+
+---
+
+## Dependencies (pinned actions)
+
+| Action | Pinned SHA | Semver alias |
+|--------|-----------|----------|
+| `actions/checkout` | tag ref `v4` | — |
+
+---
+
+## Known Limitations / Notes
+
+- `dependabot[bot]` actors are excluded.
+- The `git log` range uses `origin/HEAD_BRANCH..origin/BASE_BRANCH`, which gives commits present in the base but absent from the head — the reverse of what a DCO check requires. The correct range is `origin/BASE_BRANCH..origin/HEAD_BRANCH`. This is a latent bug; the check may pass silently on PRs that contain unsigned commits.
+
+---
+
+## Repository Overrides
+
+| Repository | Reason |
+|-----------|--------|
+| _(none)_ | _(all synced repos use the canonical version)_ |
@@ -1,9 +1,74 @@
 # `gpg-verify.yml`
 
-> This workflow is distributed from [`tazama-lf/workflows`](https://github.com/tazama-lf/workflows) without modification. For full documentation — including trigger details, job steps, required secrets, and known limitations — see:
->
-> **[`workflow-docs/gpg-verify.md` in tazama-lf/workflows](https://github.com/tazama-lf/workflows/blob/dev/workflow-docs/gpg-verify.md)**
+## Purpose
 
-## frmscoe-specific notes
+Verifies that every commit in a pull request has a valid GPG signature using the GitHub REST API, ensuring that only verified commits can be merged.
 
-_None — behaviour in `frmscoe` rule repos is identical to the canonical workflow._
+---
+
+## Trigger
+
+| Event | Conditions |
+|-------|-----------|
+| `pull_request` | all types |
+
+---
+
+## Execution Context
+
+| Property | Value |
+|----------|-------|
+| Runner | `ubuntu-latest` |
+| Typical duration | ~20–30 s |
+| Concurrency | none |
+| Permissions | default |
+
+---
+
+## Jobs
+
+### `gpg-verify` — GPG Verify
+
+**Steps:**
+
+1. `actions/checkout@v4` — full history fetch (`fetch-depth: 0`)
+2. `Set up environment variables` — captures `PR_HEAD_REF`, `PR_BASE_REF`, `GITHUB_TOKEN`, `GITHUB_REPOSITORY`
+3. `Check GPG verification status` — iterates commits via `git log origin/${PR_BASE_REF}..origin/${PR_HEAD_REF}`; queries `/repos/:repo/commits/:sha` for each and checks `.commit.verification.verified`; fails if any commit is unverified
+
+---
+
+## Required Secrets
+
+None (uses auto-provided `GITHUB_TOKEN`).
+
+---
+
+## Sync Distribution
+
+| Group | Behaviour |
+|-------|----------|
+| All `REPOS` | Receives this file |
+
+---
+
+## Dependencies (pinned actions)
+
+| Action | Pinned SHA | Semver alias |
+|--------|-----------|----------|
+| `actions/checkout` | tag ref `v4` | — |
+
+---
+
+## Known Limitations / Notes
+
+- `dependabot[bot]`, `dependabot-preview[bot]`, and `github-actions[bot]` actors are excluded — these automated actors do not have GPG keys and will never produce signed commits.
+- An empty commit range (e.g. no new commits on the head branch) is handled gracefully — the step exits 0 without failing.
+- GPG verification is checked via the GitHub commit API (`.commit.verification.verified`), which uses the committer's GitHub-linked public key. Local GPG keyrings on the runner are not required.
+
+---
+
+## Repository Overrides
+
+| Repository | Reason |
+|-----------|--------|
+| _(none)_ | _(all synced repos use the canonical version)_ |