Add CI check verifying commits come from NVIDIA-affiliated authors#49
Merged
Conversation
The DCO check (#38) verifies every commit carries a Signed-off-by trailer but doesn't validate that the author email matches an NVIDIA-affiliated address. Catalog content is published externally under NVIDIA's name — accepting commits from arbitrary personal/ external email addresses creates IP-traceability gaps that are hard to clean up after the fact. PR #47 surfaced this gap concretely: an external contributor opened a catalog onboarding PR with commits authored from gmail.com and eduquencher.com addresses. Detection happened during human review only; this workflow makes it an automated gate. The check walks every non-merge commit between base and head, and fails if any commit's author OR committer email isn't @nvidia.com or @users.noreply.github.com (github-noreply covers NVIDIA-org members who hide their personal email). The automated/sync-skills branch is exempt — same rationale as the DCO check, it's the bot mirror, not a contributor. Companion change: catalog-pr-reviewer skill updated with the same check inline so reviewers see the violation locally before opening the PR rather than after CI fails. Signed-off-by: Moshe Abramovitch <moshea@nvidia.com>
Collaborator
|
lgtm! |
sayalinvidia
approved these changes
May 5, 2026
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The DCO check (#38) verifies every commit carries a
Signed-off-bytrailer but doesn't validate that the email matches an NVIDIA-affiliated address. Catalog content is published externally under NVIDIA's name — accepting commits from arbitrary personal/external email addresses creates IP-traceability gaps that are hard to clean up after the fact.What it does
The check walks every non-merge commit between base and head, and fails if any commit's author OR committer email isn't
@nvidia.comor@users.noreply.github.com(the github-noreply pattern covers NVIDIA-org members who hide their personal email).The
automated/sync-skillsbranch is exempt — same rationale as the DCO check, it's the bot mirror, not a contributor.Recovery flow when the check fails
For NVIDIA employees committing from a personal account, the failure log surfaces a copy-paste recovery:
For genuinely external contributions, the failure log directs the contributor to a CODEOWNER. We don't
--adminoverride; external contributions need explicit OSRB review before merge.Companion change
The catalog-pr-reviewer skill at
gitlab-master.nvidia.com/moshea/catalog-pr-reviewerwas updated in parallel with the same check inline (scripts/verify-pr.sh), so reviewers using the skill see the violation locally before opening the PR rather than only after CI fails.Tested
dtammineedi@eduquencher.comanddoondiashlesh@gmail.comas violationsmoshea@nvidia.com)