Set up CLA process and remove DCO (#129)

Signed-off-by: Ilan Bigio <ilan@openai.com>

.github/workflows/cla.yml

@@ -0,0 +1,29 @@
+name: CLA Assistant
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: contributor-assistant/github-action@v2.6.1
+        if: |
+          github.event_name == 'pull_request_target' ||
+          github.event.comment.body == 'recheck' ||
+          github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          path-to-document: docs/CLA.md
+          path-to-signatures: signatures/cla.json
+          branch: cla-signatures
+          allowlist: dependabot[bot]

.github/workflows/dco.yml

@@ -1,43 +0,0 @@
-name: dco
-on: [pull_request]
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # minimum needed
-
-    steps:
-      - uses: actions/checkout@v4
-        with: { fetch-depth: 0 } # make sure base SHA exists
-
-      - name: Verify Signed‑off‑by lines
-        shell: bash
-        run: |
-          base="${{ github.event.pull_request.base.sha }}"
-          head="${{ github.event.pull_request.head.sha }}"
-
-          unsigned=$(git log --format='%h %s' "$base..$head" | while read sha _; do
-            git show -s --format='%B' "$sha" | grep -qi '^Signed-off-by:' || echo "$sha"
-          done)
-
-          if [ -n "$unsigned" ]; then
-            echo "::error ::❌  DCO check failed."
-            echo ""
-            echo "Commits missing the 'Signed-off-by:' footer:"
-            echo "$unsigned"
-            echo ""
-            echo "🛠 **Quick fix (make ONE signed commit):**"
-            echo "    git fetch origin"
-            echo "    git reset --soft origin/${GITHUB_BASE_REF}"
-            echo "    git commit -s -m \"<your message>\""
-            echo "    git push --force-with-lease"
-            echo ""
-            echo "🔧 **Fix individual commits:**"
-            echo "    git rebase -i origin/${GITHUB_BASE_REF} --exec \"git commit --amend -s --no-edit\""
-            echo "    git push --force-with-lease"
-            echo ""
-            echo "💡  Or edit the commit message in GitHub UI and add:"
-            echo "    Signed-off-by: Your Name <email@example.com>"
-            exit 1
-          fi

README.md

@@ -294,7 +294,7 @@ Any model available with [Responses API](https://platform.openai.com/docs/api-re
 
 This project is under active development and the code will likely change pretty significantly. We'll update this message once that's complete!
 
-More broadly We welcome contributions – whether you are opening your very first pull request or you’re a seasoned maintainer. At the same time we care about reliability and long‑term maintainability, so the bar for merging code is intentionally **high**. The guidelines below spell out what “high‑quality” means in practice and should make the whole process transparent and friendly.
+More broadly we welcome contributions – whether you are opening your very first pull request or you’re a seasoned maintainer. At the same time we care about reliability and long‑term maintainability, so the bar for merging code is intentionally **high**. The guidelines below spell out what “high‑quality” means in practice and should make the whole process transparent and friendly.
 
 ### Development workflow
 
@@ -302,7 +302,19 @@ More broadly We welcome contributions – whether you are opening your very firs
 - Keep your changes focused. Multiple unrelated fixes should be opened as separate PRs.
 - Use `npm run test:watch` during development for super‑fast feedback.
 - We use **Vitest** for unit tests, **ESLint** + **Prettier** for style, and **TypeScript** for type‑checking.
-- Make sure all your commits are signed off with `git commit -s ...`, see [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco) for more details.
+- Before pushing, run the full test/type/lint suite:
+
+  ```bash
+  npm test && npm run lint && npm run typecheck
+  ```
+
+- If you have **not** yet signed the Contributor License Agreement (CLA), add a PR comment containing the exact text
+
+  ```text
+  I have read the CLA Document and I hereby sign the CLA
+  ```
+
+  The CLA‑Assistant bot will turn the PR status green once all authors have signed.
 
 ```bash
 # Watch mode (tests rerun on change)
@@ -318,20 +330,15 @@ npm run format:fix
 
 ### Writing high‑impact code changes
 
-1. **Start with an issue.**
-   Open a new one or comment on an existing discussion so we can agree on the solution before code is written.
-2. **Add or update tests.**
-   Every new feature or bug‑fix should come with test coverage that fails before your change and passes afterwards. 100 % coverage is not required, but aim for meaningful assertions.
-3. **Document behaviour.**
-   If your change affects user‑facing behaviour, update the README, inline help (`codex --help`), or relevant example projects.
-4. **Keep commits atomic.**
-   Each commit should compile and the tests should pass. This makes reviews and potential rollbacks easier.
+1. **Start with an issue.** Open a new one or comment on an existing discussion so we can agree on the solution before code is written.
+2. **Add or update tests.** Every new feature or bug‑fix should come with test coverage that fails before your change and passes afterwards. 100 % coverage is not required, but aim for meaningful assertions.
+3. **Document behaviour.** If your change affects user‑facing behaviour, update the README, inline help (`codex --help`), or relevant example projects.
+4. **Keep commits atomic.** Each commit should compile and the tests should pass. This makes reviews and potential rollbacks easier.
 
 ### Opening a pull request
 
 - Fill in the PR template (or include similar information) – **What? Why? How?**
-- Run **all** checks locally (`npm test && npm run lint && npm run typecheck`).
-  CI failures that could have been caught locally slow down the process.
+- Run **all** checks locally (`npm test && npm run lint && npm run typecheck`). CI failures that could have been caught locally slow down the process.
 - Make sure your branch is up‑to‑date with `main` and that you have resolved merge conflicts.
 - Mark the PR as **Ready for review** only when you believe it is in a merge‑able state.
 
@@ -353,21 +360,20 @@ If you run into problems setting up the project, would like feedback on an idea,
 
 Together we can make Codex CLI an incredible tool. **Happy hacking!** :rocket:
 
-### Developer Certificate of Origin (DCO)
+### Contributor License Agreement (CLA)
 
-All commits **must** include a `Signed‑off‑by:` footer.  
-This one‑line self‑certification tells us you wrote the code and can contribute it under the repo’s license.
+All contributors **must** accept the CLA. The process is lightweight:
 
-#### How to sign (recommended flow)
+1. Open your pull request.
+2. Paste the following comment (or reply `recheck` if you’ve signed before):
 
-```bash
-# squash your work into ONE signed commit
-git reset --soft origin/main          # stage all changes
-git commit -s -m "Your concise message"
-git push --force-with-lease           # updates the PR
-```
+   ```text
+   I have read the CLA Document and I hereby sign the CLA
+   ```
 
-> We enforce **squash‑and‑merge only**, so a single signed commit is enough for the whole PR.
+3. The CLA‑Assistant bot records your signature in the repo and marks the status check as passed.
+
+No special Git commands, email attachments, or commit footers required.
 
 #### Quick fixes
 

docs/CLA.md

@@ -0,0 +1,44 @@
+# Individual Contributor License Agreement (v1.0, OpenAI)
+
+_Based on the Apache Software Foundation Individual CLA v 2.2._
+
+By commenting **“I have read the CLA Document and I hereby sign the CLA”**
+on a Pull Request, **you (“Contributor”) agree to the following terms** for any
+past and future “Contributions” submitted to the **OpenAI Codex CLI project
+(the “Project”)**.
+
+---
+
+## 1. Definitions
+- **“Contribution”** – any original work of authorship submitted to the Project
+  (code, documentation, designs, etc.).
+- **“You” / “Your”** – the individual (or legal entity) posting the acceptance
+  comment.
+
+## 2. Copyright License  
+You grant **OpenAI, Inc.** and all recipients of software distributed by the
+Project a perpetual, worldwide, non‑exclusive, royalty‑free, irrevocable
+license to reproduce, prepare derivative works of, publicly display, publicly
+perform, sublicense, and distribute Your Contributions and derivative works.
+
+## 3. Patent License  
+You grant **OpenAI, Inc.** and all recipients of the Project a perpetual,
+worldwide, non‑exclusive, royalty‑free, irrevocable (except as below) patent
+license to make, have made, use, sell, offer to sell, import, and otherwise
+transfer Your Contributions alone or in combination with the Project.
+
+If any entity brings patent litigation alleging that the Project or a
+Contribution infringes a patent, the patent licenses granted by You to that
+entity under this CLA terminate.
+
+## 4. Representations
+1. You are legally entitled to grant the licenses above.  
+2. Each Contribution is either Your original creation or You have authority to
+   submit it under this CLA.  
+3. Your Contributions are provided **“AS IS”** without warranties of any kind.  
+4. You will notify the Project if any statement above becomes inaccurate.
+
+## 5. Miscellany  
+This Agreement is governed by the laws of the **State of California**, USA,
+excluding its conflict‑of‑laws rules. If any provision is held unenforceable,
+the remaining provisions remain in force.