Force signed commits

[zOnlyKroks]

Good Evening,
I am currently in the process of deciding if its reasonable, to force signed commits to every branch.

My thought process is, that these charts come to use in production environments, so atleast knowing / verifying who made what change is important

What is yall´s opinion about this idea?

[zOnlyKroks]

Especially asking @dloewen2 and @mms-gianni

[mms-gianni]

This came also to my mind. I actually think sign-off is a good idea. But it also has disadvantages. For example, it can be a hurdle for new contributors.

The advantage is that it's still possible to trace who made the commit even if the Github account no longer exists.

However, it doesn't guarantee that real names and email addresses were used for the sign-off.

I'm also aware of larger, well-known projects that made sign-off mandatory. https://github.com/k8s-operatorhub/community-operators/commits/main/

In the beginning, perhaps a hint that it's preferred might be sufficient. There's a Github action that leaves a comment in the PR.

https://github.com/marketplace/actions/check-signed-commits-in-pr

[zOnlyKroks]

i wanted to kind of give a grace period of x amount of months, where it is discouraged to commit without verification, but after that, merge requests without verified commits won't be merged no-more.

[zOnlyKroks]

i wanted to kind of give a grace period of x amount of months, where it is discouraged to commit without verification, but after that, merge requests without verified commits won't be merged no-more.

as of now, this warning is implemented in pr´s where new pushes happen