config: exempt Copilot-authored PRs from DCO requirement in Tide

[Copilot]

GitHub Copilot's PR-raise feature cannot produce DCO sign-offs, so Tide's dco-signoff: yes label requirement permanently blocks Copilot PRs from merging.

Change

Appends a new tide.queries entry matching author: Copilot across the cert-manager org that:

• Requires lgtm + approved — same review gates as human PRs (no skip-review shortcut)
• Omits dco-signoff: yes
• Blocks on the full missingLabels set, including needs-kind and do-not-merge/release-note-label-needed

- author: Copilot
  orgs:
  - cert-manager
  labels:
  - lgtm
  - approved
  missingLabels:
  - do-not-merge
  - do-not-merge/hold
  - do-not-merge/invalid-owners-file
  - do-not-merge/work-in-progress
  - needs-rebase
  - needs-kind
  - do-not-merge/release-note-label-needed

The Prow dco plugin is left untouched — it will still post the DCO status check, but Tide will not gate on the resulting label for this author. The Copilot login was confirmed against cert-manager/website#2011.

Original prompt

Create a PR in cert-manager/testing (base branch: master) to update the Prow/Tide configuration so Copilot-authored PRs do not require DCO, but still require normal review gates and blockers.

Context

This repo configures testing/github/ci infra for the cert-manager org. DCO is currently enforced via:

• Tide required label dco-signoff: yes in config/config.yaml tide queries.
• Prow dco plugin (org-wide) in config/plugins.yaml.

The user has determined PRs raised via GitHub Copilot Chat on GitHub.com have PR author login Copilot (example PR: cert-manager/website#2011).

They want AI-generated PRs to NOT bypass review and to keep the same missingLabels blockers, but to remove the DCO requirement for those PRs.

Change requested

Edit config/config.yaml:

• In the tide: -> queries: list, append a new query entry at the end (user request: “at the end”) that matches PRs with author: Copilot and orgs: [cert-manager].
• This Copilot query must require the same review labels as humans: lgtm and approved.
• It must NOT require the "dco-signoff: yes" label.
• It must include the missingLabels list provided by the user:
  • do-not-merge
  • do-not-merge/hold
  • do-not-merge/invalid-owners-file
  • do-not-merge/work-in-progress
  • needs-rebase
  • needs-kind
  • do-not-merge/release-note-label-needed

Acceptance criteria

• A PR is opened against cert-manager/testing master.
• config/config.yaml is updated with the new Tide query entry appended at the end of tide.queries.
• YAML remains valid and consistent with existing formatting.
• No other behavior changes (don’t remove the dco plugin; only adjust Tide requirements via the added query).

Notes / considerations

• Ensure indentation matches existing config/config.yaml style.
• Adding this query at the end should be safe, but verify Tide query matching order (first match vs all matches) and ensure Copilot PRs still require lgtm + approved and are not affected by bot-specific skip-review queries.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: I have tried making you sign off your commits, I have included it in prompts, you tell me you will and never do. I have come to the conclusion that your "raise pr" feature is incapable of signing off commits

Assistant: You’re probably correct: Copilot’s “raise PR” / coding-agent flow does not reliably produce DCO sign-offs, and prompt instructions alone aren’t enforceable. In your infra, DCO is enforced by Prow + Tide, so the practical fix is to stop requiring DCO for the PRs/actors that Copilot uses, or to route Copilot PRs through a path that re-writes commits with sign-off.

From what’s in cert-manager/testing today, the “requirement” is coming from Tide queries that include the label "dco-signoff: yes" plus the org-wide Prow dco plugin:

tide:
  queries:
  - orgs: [cert-manager]
    labels: [lgtm, approved, "dco-signoff: yes"]
  - author: github-actions[bot]
    orgs: [cert-manager]
    labels: [skip-review, "dco-signoff: yes"]
  - author: octo-sts[bot]
    ...
  - author: renovate[bot]
    ...

What to change (actionable)

Option 1: Exempt Copilot PRs in Tide (most direct; no commit rewriting)

Add a Tide query entry matching the Copilot PR author but without "dco-signoff: yes".

Example (you will need to replace the author with the exact login Copilot uses in your PRs):

tide:
  queries:
  - author: <COPILOT_PR_AUTHOR_LOGIN>
    orgs:
    - cert-manager
    labels:
    - skip-review
    missingLabels:
    - do-not-merge
    - do-not-merge/hold
    - do-not-merge/invalid-owners-file
    - do-not-merge/work-in-progress
    - needs-rebase

This makes Tide merge those PRs without DCO even though Prow will still apply dco-signoff: no.

You must confirm the author login Tide will match. It might be:

• your user (ThatsMrTalbot) if Copilot pushes as you,
• github-actions[bot] if it’s using a workflow token,
• or another bot identity.

If you want only Copilot PRs exempt (not all PRs by you), then you need a bot identity to match on, not your personal login.

Option 2: Keep DCO for humans, but create a “Copilot integration” branch policy

If you don’t want to exempt an author across all repos/branches, a pattern is:

• Copilot PRs target copilot-staging (or similar) where DCO isn’t required in Tide
• then a separate, controlled process (human or bot) merges/rebases/squashes into main with sign-off

That’s more complex, but avoids weakening DCO on main-bound PRs.

Option 3: Turn off the Prow dco plugin (not sufficient by itself)

Even if you remove - dco from config/plugins.yaml, Tide is still requiring the label "dco-signoff: yes" in `config/co...

This pull request was created from Copilot chat.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[cert-manager-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from thatsmrtalbot. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cert-manager-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• a166ddb Initial plan
• da3ff3a config: add Tide query for Copilot-authored PRs without DCO requirement

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[maelvls]

Duplicate of #1119?

[ThatsMrTalbot]

I think this one is more correct? The other one has

author: copilot-swe-agent[bot]

If you look at a PR raised by Copilot like - https://api.github.com/repos/cert-manager/website/pulls/2011, the .user.login is Copilot

[maelvls]

I think you are right, Prow's status.go#L161 seems to show that the author field is meant to be a GitHub author login, which would be Copilot in our case.

In the case of cert-manager-bot though, the GitHub author login would be cert-manager-prow[bot]: https://api.github.com/repos/cert-manager/testing/commits/d7e8d653c9a24584e33df8cd214171fa77239154. That's what confused me 😅