[bug] [investigate] DCO sign off on branch merges

[asraa]

Description

Once a ceremony is complete on a branch (e.g. ceremony/2023-02-22), a final automated workflow creates a PR that merges the ceremony branch to main.

This creates a PR with the ceremony commits, for example, see this PR: #676

Which is opened by the sigstore-bot from the workflow and contains the individual commits from the ceremony branch to merge into main.

After manually adding DCO to the Update Snapshot and Timestamp PR, we still find that the DCO action fails to validate the commits due to a mismatch on the sign-off committer name and email and the actual one in the sign-off.

Commit sha: [2acbcce](https://github.com/sigstore/root-signing/pull/676/commits/2acbcce13ca5768d538c7e39cc27dcc91b1c65fd), Author: Bob Callaway, Committer: GitHub; Expected "Bob Callaway [bobcallaway@users.noreply.github.com](mailto:bobcallaway@users.noreply.github.com)", but got "Bob Callaway [bcallaway@google.com](mailto:bcallaway@google.com)".
Commit sha: [9afb8e4](https://github.com/sigstore/root-signing/pull/676/commits/9afb8e44fb255da5445f25fc209cabe1e60c6879), Author: dlorenc, Committer: GitHub; Expected "dlorenc [lorenc.d@gmail.com](mailto:lorenc.d@gmail.com)", but got "Dan Lorenc [dlorenc@chainguard.dev](mailto:dlorenc@chainguard.dev)".
Commit sha: [eb13041](https://github.com/sigstore/root-signing/pull/676/commits/eb130410d2a894b076ee590d7cdffcac742f3e82), Author: Fredrik Skogman, Committer: GitHub; Expected "Fredrik Skogman [kommendorkapten@github.com](mailto:kommendorkapten@github.com)", but got "Brian DeHamer [bdehamer@github.com](mailto:bdehamer@github.com)".
Commit sha: [fda3a54](https://github.com/sigstore/root-signing/pull/676/commits/fda3a54e2c0f558c15969dd7fba87b0f864e4928), Author: Marina Moore, Committer: GitHub; Expected "Marina Moore [mnm678@users.noreply.github.com](mailto:mnm678@users.noreply.github.com)", but got "Marina Moore [mnm678@gmail.com](mailto:mnm678@gmail.com)".

It seems like the committer is the GH user of the person who merged the commit (or in the case of a maintainer, theirs?) and the actual person who signed off is the sign-off email used in the commit.

(1) I'm not sure why DCO is doing such a strict validation.
(2) I know we could squash and create a merge commit with sign-off, but then we lose the individual commits preserved
(3) We can "Set DCO to pass" manually on these and merge.
(4) It feels like there must be a better way for DCO to detect this.

@kommendorkapten

Version

[kommendorkapten]

When merging a PR, we can see this:

The message clearly says: "This commit will be authored by xxx@users.noreply.github.com", I wonder if we update the merge commit message to be singned off by that email, if it will work as expected when the DCO test is done?

Also, would it be ok to change the signoff message?

[asraa]

Seems like a weird process, but I think it would solve the manual merges.

For auto-review bot, I can switch to using https://cli.github.com/manual/gh_pr_merge, which seems to have an --author-email. I can maybe detect the bot ID?

[asraa]

At least for now we can try with the manual merge + use the noreply!

[kommendorkapten]

I think I know about the issue!
See the picture below.
For all activities that happens via GitHub's web UI, such as merges, the primary email configured in GitHub is used. This does not have to be the same email address that is used when signing off on a commit. If these are not in sync, the signoff will not match for the merge commit.

[kommendorkapten]

So my understanding is that if the primary email address in GitHub is the same as the email address used during signoff, the merge commit will pass the DCO test.