ci(dco): add DCO enforcement workflow

[nullvariant]

Summary

• Add Developer Certificate of Origin (DCO) check for all pull requests
• Use dco-check (PyPI, christophebedard/dco-check) directly in workflow instead of cncf/dcochecker wrapper (stale actions/checkout@v2, no version pinning)
• Reject dcoapp/app (GitHub App) due to external Probot server dependency and override bypass capability

Changes

• .github/workflows/dco.yml: New workflow with SHA-pinned actions and hash-verified pip install dco-check==0.5.0
• CONTRIBUTING.md: Add DCO section with sign-off instructions and DCO v1.1 summary
• AGENTS.md: Add --signoff requirement to Key Constraints

Security

• actions/checkout@v6.0.2, actions/setup-python@v6.2.0, step-security/harden-runner@v2.16.1 — all SHA-pinned
• pip install uses --require-hashes --no-deps for supply chain integrity
• permissions: {} at top level, contents: read only at job level

Test plan

• DCO Check workflow runs on PR and passes when commits have Signed-off-by
• DCO Check workflow fails when commits lack Signed-off-by
• CONTRIBUTING.md renders correctly with DCO section

🤖 Generated with Claude Code

[nullvariant-slow]

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File	Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 483 |

Split it up... reading long files is exhausting.

---

働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

[nullvariant-mimi]

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!

---

バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2d15c76.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5.2	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/step-security/harden-runner	fe104658747b27e96e4f7e80cd0a94068e53901d	🟢 7.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 13 out of 13 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 10 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected

Scanned Files

• .github/workflows/dco.yml

[nullvariant-ciel]

🕊️ Ciel's Mediation 🌤️

*~~ floating down from the clouds ~~ The zoo seems a bit noisy today...*

2 zoo members have reviewed this PR.

Zoo Member	Status
🦥 Slow	Commented
🐰 Mimi	Commented

⚖️ The zoo has mixed opinions. Some are concerned, some are fine with it. Please review each comment carefully and make the final call.

---

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

[nullvariant-ciel]

🕊️ Ciel's Mediation 🌤️

*~~ floating down from the clouds ~~ The zoo seems a bit noisy today...*

2 zoo members have reviewed this PR.

Zoo Member	Status
🦥 Slow	Commented
🐰 Mimi	Commented

⚖️ The zoo has mixed opinions. Some are concerned, some are fine with it. Please review each comment carefully and make the final call.

---

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud