1--- 2stage: none 3group: unassigned 4info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments 5--- 6 7# Code Review Guidelines 8 9This guide contains advice and best practices for performing code review, and 10having your code reviewed. 11 12All merge requests for GitLab CE and EE, whether written by a GitLab team member 13or a wider community member, must go through a code review process to ensure the 14code is effective, understandable, maintainable, and secure. 15 16## Getting your merge request reviewed, approved, and merged 17 18You are strongly encouraged to get your code **reviewed** by a 19[reviewer](https://about.gitlab.com/handbook/engineering/workflow/code-review/#reviewer) as soon as 20there is any code to review, to get a second opinion on the chosen solution and 21implementation, and an extra pair of eyes looking for bugs, logic problems, or 22uncovered edge cases. 23 24The default approach is to choose a reviewer from your group or team for the first review. 25This is only a recommendation and the reviewer may be from a different team. 26However, it is recommended to pick someone who is a [domain expert](#domain-experts). 27If your merge request touches more than one domain (for example, Dynamic Analysis and GraphQL), ask for reviews from an expert from each domain. 28 29You can read more about the importance of involving reviewer(s) in the section on the responsibility of the author below. 30 31If you need some guidance (for example, it's your first merge request), feel free to ask 32one of the [Merge request coaches](https://about.gitlab.com/company/team/). 33 34If you need assistance with security scans or comments, feel free to include the 35Application Security Team (`@gitlab-com/gl-security/appsec`) in the review. 36 37Depending on the areas your merge request touches, it must be **approved** by one 38or more [maintainers](https://about.gitlab.com/handbook/engineering/workflow/code-review/#maintainer). 39 40For approvals, we use the approval functionality found in the merge request 41widget. For reviewers, we use the [reviewer functionality](../user/project/merge_requests/getting_started.md#reviewer) in the sidebar. 42Reviewers can add their approval by [approving additionally](../user/project/merge_requests/approvals/index.md#approve-a-merge-request). 43 44Getting your merge request **merged** also requires a maintainer. If it requires 45more than one approval, the last maintainer to review and approve merges it. 46 47### Domain experts 48 49Domain experts are team members who have substantial experience with a specific technology, 50product feature, or area of the codebase. Team members are encouraged to self-identify as 51domain experts and add it to their [team profiles](https://gitlab.com/gitlab-com/www-gitlab-com/-/blob/master/data/team_members/person/README.md). 52 53When self-identifying as a domain expert, it is recommended to assign the MR changing the `.yml` file to be merged by an already established Domain Expert or a corresponding Engineering Manager. 54 55We make the following assumption with regards to automatically being considered a domain expert: 56 57- Team members working in a specific stage/group (for example, create: source code) are considered domain experts for that area of the app they work on 58- Team members working on a specific feature (for example, search) are considered domain experts for that feature 59 60We default to assigning reviews to team members with domain expertise. 61When a suitable [domain expert](#domain-experts) isn't available, you can choose any team member to review the MR, or simply follow the [Reviewer roulette](#reviewer-roulette) recommendation. 62 63Team members' domain expertise can be viewed on the [engineering projects](https://about.gitlab.com/handbook/engineering/projects/) page or on the [GitLab team page](https://about.gitlab.com/company/team/). 64 65### Reviewer roulette 66 67The [Danger bot](dangerbot.md) randomly picks a reviewer and a maintainer for 68each area of the codebase that your merge request seems to touch. It only makes 69**recommendations** and you should override it if you think someone else is a better 70fit! 71 72It picks reviewers and maintainers from the list at the 73[engineering projects](https://about.gitlab.com/handbook/engineering/projects/) 74page, with these behaviors: 75 761. It doesn't pick people whose Slack or [GitLab status](../user/profile/index.md#set-your-current-status): 77 - contains the string 'OOO', 'PTO', 'Parental Leave', or 'Friends and Family' 78 - emoji is `:palm_tree:`, `:beach:`, `:beach_umbrella:`, `:beach_with_umbrella:`, `:ferris_wheel:`, `:thermometer:`, `:face_with_thermometer:`, `:red_circle:`, `:bulb:`, `:sun_with_face:`. 79 - GitLab user busy indicator is set to true 801. [Trainee maintainers](https://about.gitlab.com/handbook/engineering/workflow/code-review/#trainee-maintainer) 81 are three times as likely to be picked as other reviewers. 821. Team members whose Slack or [GitLab status](../user/profile/index.md#set-your-current-status) emoji 83 is `:large_blue_circle:` are more likely to be picked. This applies to both reviewers and trainee maintainers. 84 - Reviewers with `:large_blue_circle:` are two times as likely to be picked as other reviewers. 85 - Trainee maintainers with `:large_blue_circle:` are four times as likely to be picked as other reviewers. 861. People whose [GitLab status](../user/profile/index.md#set-your-current-status) emoji 87 is `:large_orange_diamond:` are half as likely to be picked. This applies to both reviewers and trainee maintainers. 881. It always picks the same reviewers and maintainers for the same 89 branch name (unless their OOO status changes, as in point 1). It 90 removes leading `ce-` and `ee-`, and trailing `-ce` and `-ee`, so 91 that it can be stable for backport branches. 92 93### Approval guidelines 94 95As described in the section on the responsibility of the maintainer below, you 96are recommended to get your merge request approved and merged by maintainer(s) 97with [domain expertise](#domain-experts). 98 991. If your merge request includes backend changes (*1*), it must be 100 **approved by a [backend maintainer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_maintainers_backend)**. 1011. If your merge request includes database migrations or changes to expensive queries (*2*), it must be 102 **approved by a [database maintainer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_maintainers_database)**. 103 Read the [database review guidelines](database_review.md) for more details. 1041. If your merge request includes frontend changes (*1*), it must be 105 **approved by a [frontend maintainer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_maintainers_frontend)**. 1061. If your merge request includes user-facing changes (*3*), it must be 107 **approved by a [Product Designer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_reviewers_UX)**, 108 based on assignments in the appropriate [DevOps stage group](https://about.gitlab.com/handbook/product/categories/#devops-stages). 109 See the [design and user interface guidelines](contributing/design.md) for details. 1101. If your merge request includes adding a new JavaScript library (*1*)... 111 - If the library significantly increases the 112 [bundle size](https://gitlab.com/gitlab-org/frontend/playground/webpack-memory-metrics/-/blob/master/doc/report.md), it must 113 be **approved by a [frontend foundations member](https://about.gitlab.com/direction/ecosystem/foundations/)**. 114 - If the license used by the new library hasn't been approved for use in 115 GitLab, the license must be **approved by a [legal department member](https://about.gitlab.com/handbook/legal/)**. 116 More information about license compatibility can be found in our 117 [GitLab Licensing and Compatibility documentation](licensing.md). 1181. If your merge request includes a new dependency or a file system change, it must be 119 **approved by a [Distribution team member](https://about.gitlab.com/company/team/)**. See how to work with the [Distribution team](https://about.gitlab.com/handbook/engineering/development/enablement/distribution/#how-to-work-with-distribution) for more details. 1201. If your merge request includes documentation changes, it must be **approved 121 by a [Technical writer](https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments)**, 122 based on assignments in the appropriate [DevOps stage group](https://about.gitlab.com/handbook/product/categories/#devops-stages). 1231. If your merge request includes changes to development guidelines, follow the [review process](index.md#development-guidelines-review) and get the approvals accordingly. 1241. If your merge request includes end-to-end **and** non-end-to-end changes (*4*), it must be **approved 125 by a [Software Engineer in Test](https://about.gitlab.com/handbook/engineering/quality/#individual-contributors)**. 1261. If your merge request only includes end-to-end changes (*4*) **or** if the MR author is a [Software Engineer in Test](https://about.gitlab.com/handbook/engineering/quality/#individual-contributors), it must be **approved by a [Quality maintainer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_maintainers_qa)** 1271. If your merge request includes a new or updated [application limit](https://about.gitlab.com/handbook/product/product-processes/#introducing-application-limits), it must be **approved by a [product manager](https://about.gitlab.com/company/team/)**. 1281. If your merge request includes Product Intelligence (telemetry or analytics) changes, it should be reviewed and approved by a [Product Intelligence engineer](https://gitlab.com/gitlab-org/growth/product-intelligence/engineers). 1291. If your merge request includes an addition of, or changes to a [Feature spec](testing_guide/testing_levels.md#frontend-feature-tests), it must be **approved by a [Quality maintainer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_maintainers_qa) or [Quality reviewer](https://about.gitlab.com/handbook/engineering/projects/#gitlab_reviewers_qa)**. 1301. If your merge request introduces a new service to GitLab (Puma, Sidekiq, Gitaly are examples), it must be **approved by a [product manager](https://about.gitlab.com/company/team/)**. See the [process for adding a service component to GitLab](adding_service_component.md) for details. 131 132- (*1*): Specs other than JavaScript specs are considered backend code. 133- (*2*): We encourage you to seek guidance from a database maintainer if your merge 134 request is potentially introducing expensive queries. It is most efficient to comment 135 on the line of code in question with the SQL queries so they can give their advice. 136- (*3*): User-facing changes include both visual changes (regardless of how minor), 137 and changes to the rendered DOM which impact how a screen reader may announce 138 the content. 139- (*4*): End-to-end changes include all files within the `qa` directory. 140 141#### Acceptance checklist 142 143This checklist encourages the authors, reviewers, and maintainers of merge requests (MRs) to confirm changes were analyzed for high-impact risks to quality, performance, reliability, security, and maintainability. 144 145Using checklists improves quality in software engineering. This checklist is a straightforward tool to support and bolster the skills of contributors to the GitLab codebase. 146 147##### Quality 148 149See the [test engineering process](https://about.gitlab.com/handbook/engineering/quality/test-engineering/) for further quality guidelines. 150 1511. I have self-reviewed this MR per [code review guidelines](code_review.md). 1521. For the code that this change impacts, I believe that the automated tests ([Testing Guide](testing_guide/index.md)) validate functionality that is highly important to users (including consideration of [all test levels](testing_guide/testing_levels.md)). 1531. If the existing automated tests do not cover the above functionality, I have added the necessary additional tests or added an issue to describe the automation testing gap and linked it to this MR. 1541. I have considered the technical aspects of this change's impact on GitLab.com hosted customers and self-managed customers. 1551. I have considered the impact of this change on the frontend, backend, and database portions of the system where appropriate and applied the `~ux`, `~frontend`, `~backend`, and `~database` labels accordingly. 1561. I have tested this MR in [all supported browsers](../install/requirements.md#supported-web-browsers), or determined that this testing is not needed. 1571. I have confirmed that this change is [backwards compatible across updates](multi_version_compatibility.md), or I have decided that this does not apply. 1581. I have properly separated EE content from FOSS, or this MR is FOSS only. 159 - [Where should EE code go?](ee_features.md#separation-of-ee-code) 1601. I have considered that existing data may be surprisingly varied. For example, a new model validation can break existing records. Consider making validation on existing data optional rather than required if you haven't confirmed that existing data will pass validation. 161 162##### Performance, reliability, and availability 163 1641. I am confident that this MR does not harm performance, or I have asked a reviewer to help assess the performance impact. ([Merge request performance guidelines](merge_request_performance_guidelines.md)) 1651. I have added [information for database reviewers in the MR description](database_review.md#required), or I have decided that it is unnecessary. 166 - [Does this MR have database-related changes?](database_review.md) 1671. I have considered the availability and reliability risks of this change. 1681. I have considered the scalability risk based on future predicted growth. 1691. I have considered the performance, reliability, and availability impacts of this change on large customers who may have significantly more data than the average customer. 170 171##### Documentation 172 1731. I have included changelog trailers, or I have decided that they are not needed. 174 - [Does this MR need a changelog?](changelog.md#what-warrants-a-changelog-entry) 1751. I have added/updated documentation or decided that documentation changes are unnecessary for this MR. 176 - [Is documentation required?](https://about.gitlab.com/handbook/engineering/ux/technical-writing/workflow/#when-documentation-is-required) 177 178##### Security 179 1801. I have confirmed that if this MR contains changes to processing or storing of credentials or tokens, authorization, and authentication methods, or other items described in [the security review guidelines](https://about.gitlab.com/handbook/engineering/security/#when-to-request-a-security-review), I have added the `~security` label and I have `@`-mentioned `@gitlab-com/gl-security/appsec`. 1811. I have reviewed the documentation regarding [internal application security reviews](https://about.gitlab.com/handbook/engineering/security/#internal-application-security-reviews) for **when** and **how** to request a security review and requested a security review if this is warranted for this change. 182 183##### Deployment 184 1851. I have considered using a feature flag for this change because the change may be high risk. 1861. If I am using a feature flag, I plan to test the change in staging before I test it in production, and I have considered rolling it out to a subset of production customers before rolling it out to all customers. 187 - [When to use a feature flag](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags) 1881. I have informed the Infrastructure department of a default setting or new setting change per [definition of done](contributing/merge_request_workflow.md#definition-of-done), or decided that this is unnecessary. 189 190### The responsibility of the merge request author 191 192The responsibility to find the best solution and implement it lies with the 193merge request author. The author or [directly responsible individual](https://about.gitlab.com/handbook/people-group/directly-responsible-individuals/) 194(DRI) stays assigned to the merge request as the assignee throughout 195the code review lifecycle. If you are unable to set yourself as an assignee, ask a [reviewer](https://about.gitlab.com/handbook/engineering/workflow/code-review/#reviewer) to do this for you. 196 197Before requesting a review from a maintainer to approve and merge, they 198should be confident that: 199 200- It actually solves the problem it was meant to solve. 201- It does so in the most appropriate way. 202- It satisfies all requirements. 203- There are no remaining bugs, logical problems, uncovered edge cases, 204 or known vulnerabilities. 205 206The best way to do this, and to avoid unnecessary back-and-forth with reviewers, 207is to perform a self-review of your own merge request, following the 208[Code Review](#reviewing-a-merge-request) guidelines. 209 210To reach the required level of confidence in their solution, an author is expected 211to involve other people in the investigation and implementation processes as 212appropriate. 213 214They are encouraged to reach out to [domain experts](#domain-experts) to discuss different solutions 215or get an implementation reviewed, to product managers and UX designers to clear 216up confusion or verify that the end result matches what they had in mind, to 217database specialists to get input on the data model or specific queries, or to 218any other developer to get an in-depth review of the solution. 219 220If an author is unsure if a merge request needs a [domain expert's](#domain-experts) opinion, 221then that indicates it does. Without it, it's unlikely they have the required level of confidence in their 222solution. 223 224Before the review, the author is requested to submit comments on the merge 225request diff alerting the reviewer to anything important as well as for anything 226that demands further explanation or attention. Examples of content that may 227warrant a comment could be: 228 229- The addition of a linting rule (Rubocop, JS etc). 230- The addition of a library (Ruby gem, JS lib etc). 231- Where not obvious, a link to the parent class or method. 232- Any benchmarking performed to complement the change. 233- Potentially insecure code. 234 235Avoid: 236 237- Adding TODO comments (referenced above) directly to the source code unless the reviewer requires 238 you to do so. If TODO comments are added due to an actionable task, 239 [include a link to the relevant issue](code_comments.md). 240- Adding comments which only explain what the code is doing. If non-TODO comments are added, they should 241 [_explain why, not what_](https://blog.codinghorror.com/code-tells-you-how-comments-tell-you-why/). 242- Requesting maintainer reviews of merge requests with failed tests. If the tests are failing and you have to request a review, ensure you leave a comment with an explanation. 243- Excessively mentioning maintainers through email or Slack (if the maintainer is reachable 244through Slack). If you can't add a reviewer for a merge request, `@` mentioning a maintainer in a comment is acceptable and in all other cases adding a reviewer is sufficient. 245 246This saves reviewers time and helps authors catch mistakes earlier. 247 248### The responsibility of the reviewer 249 250[Review the merge request](#reviewing-a-merge-request) thoroughly. When you are confident 251that it meets all requirements, you should: 252 253- Click the Approve button. 254- `@` mention the author to generate a to-do notification, and advise them that their merge request has been reviewed and approved. 255- Request a review from a maintainer. Default to requests for a maintainer with [domain expertise](#domain-experts), 256however, if one isn't available or you think the merge request doesn't need a review by a [domain expert](#domain-experts), feel free to follow the [Reviewer roulette](#reviewer-roulette) suggestion. 257- Remove yourself as a reviewer. 258 259### The responsibility of the maintainer 260 261Maintainers are responsible for the overall health, quality, and consistency of 262the GitLab codebase, across domains and product areas. 263 264Consequently, their reviews focus primarily on things like overall 265architecture, code organization, separation of concerns, tests, DRYness, 266consistency, and readability. 267 268Because a maintainer's job only depends on their knowledge of the overall GitLab 269codebase, and not that of any specific domain, they can review, approve, and merge 270merge requests from any team and in any product area. 271 272Maintainers do their best to also review the specifics of the chosen solution 273before merging, but as they are not necessarily [domain experts](#domain-experts), they may be poorly 274placed to do so without an unreasonable investment of time. In those cases, they 275defer to the judgment of the author and earlier reviewers, in favor of focusing on their primary responsibilities. 276 277If a maintainer feels that an MR is substantial enough that it warrants a review from a [domain expert](#domain-experts), 278and it is unclear whether a domain expert have been involved in the reviews to date, 279they may request a [domain expert's](#domain-experts) review before merging the MR. 280 281If a developer who happens to also be a maintainer was involved in a merge request 282as a reviewer, it is recommended that they are not also picked as the maintainer to ultimately approve and merge it. 283 284Maintainers should check before merging if the merge request is approved by the 285required approvers. If still awaiting further approvals from others, remove yourself as a reviewer then `@` mention the author and explain why in a comment. Stay as reviewer if you're merging the code. 286 287Maintainers must check before merging if the merge request is introducing new 288vulnerabilities, by inspecting the list in the Merge Request 289[Security Widget](../user/application_security/index.md). 290When in doubt, a [Security Engineer](https://about.gitlab.com/company/team/) can be involved. The list of detected 291vulnerabilities must be either empty or containing: 292 293- dismissed vulnerabilities in case of false positives 294- vulnerabilities converted to issues 295 296Maintainers should **never** dismiss vulnerabilities to "empty" the list, 297without duly verifying them. 298 299Note that certain Merge Requests may target a stable branch. These are rare 300events. These types of Merge Requests cannot be merged by the Maintainer. 301Instead, these should be sent to the [Release Manager](https://about.gitlab.com/community/release-managers/). 302 303After merging, a maintainer should stay as the reviewer listed on the merge request. 304 305### Dogfooding the Reviewers feature 306 307On March 18th 2021, an updated process was put in place aimed at efficiently and consistently dogfooding the Reviewers feature. 308 309Here is a summary of the changes, also reflected in this section above. 310 311- Merge request authors and DRIs stay as Assignees 312- Authors request a review from Reviewers when they are expected to review 313- Reviewers remove themselves after they're done reviewing/approving 314- The last approver stays as Reviewer upon merging 315 316## Best practices 317 318### Everyone 319 320- Be kind. 321- Accept that many programming decisions are opinions. Discuss tradeoffs, which 322 you prefer, and reach a resolution quickly. 323- Ask questions; don't make demands. ("What do you think about naming this 324 `:user_id`?") 325- Ask for clarification. ("I didn't understand. Can you clarify?") 326- Avoid selective ownership of code. ("mine", "not mine", "yours") 327- Avoid using terms that could be seen as referring to personal traits. ("dumb", 328 "stupid"). Assume everyone is intelligent and well-meaning. 329- Be explicit. Remember people don't always understand your intentions online. 330- Be humble. ("I'm not sure - let's look it up.") 331- Don't use hyperbole. ("always", "never", "endlessly", "nothing") 332- Be careful about the use of sarcasm. Everything we do is public; what seems 333 like good-natured ribbing to you and a long-time colleague might come off as 334 mean and unwelcoming to a person new to the project. 335- Consider one-on-one chats or video calls if there are too many "I didn't 336 understand" or "Alternative solution:" comments. Post a follow-up comment 337 summarizing one-on-one discussion. 338- If you ask a question to a specific person, always start the comment by 339 mentioning them; this ensures they see it if their notification level is 340 set to "mentioned" and other people understand they don't have to respond. 341 342### Having your merge request reviewed 343 344Please keep in mind that code review is a process that can take multiple 345iterations, and reviewers may spot things later that they may not have seen the 346first time. 347 348- The first reviewer of your code is _you_. Before you perform that first push 349 of your shiny new branch, read through the entire diff. Does it make sense? 350 Did you include something unrelated to the overall purpose of the changes? Did 351 you forget to remove any debugging code? 352- Write a detailed description as outlined in the [merge request guidelines](contributing/merge_request_workflow.md#merge-request-guidelines). 353 Some reviewers may not be familiar with the product feature or area of the 354 codebase. Thorough descriptions help all reviewers understand your request 355 and test effectively. 356- If you know your change depends on another being merged first, note it in the 357 description and set a [merge request dependency](../user/project/merge_requests/merge_request_dependencies.md). 358- Be grateful for the reviewer's suggestions. ("Good call. I'll make that change.") 359- Don't take it personally. The review is of the code, not of you. 360- Explain why the code exists. ("It's like that because of these reasons. Would 361 it be more clear if I rename this class/file/method/variable?") 362- Extract unrelated changes and refactorings into future merge requests/issues. 363- Seek to understand the reviewer's perspective. 364- Try to respond to every comment. 365- The merge request author resolves only the threads they have fully 366 addressed. If there's an open reply, an open thread, a suggestion, 367 a question, or anything else, the thread should be left to be resolved 368 by the reviewer. 369- It should not be assumed that all feedback requires their recommended changes 370 to be incorporated into the MR before it is merged. It is a judgment call by 371 the MR author and the reviewer as to if this is required, or if a follow-up 372 issue should be created to address the feedback in the future after the MR in 373 question is merged. 374- Push commits based on earlier rounds of feedback as isolated commits to the 375 branch. Do not squash until the branch is ready to merge. Reviewers should be 376 able to read individual updates based on their earlier feedback. 377- Request a new review from the reviewer once you are ready for another round of 378 review. If you do not have the ability to request a review, `@` 379 mention the reviewer instead. 380 381### Requesting a review 382 383When you are ready to have your merge request reviewed, 384you should [request an initial review](../user/project/merge_requests/getting_started.md#reviewer) by selecting a reviewer from your group or team. 385However, you can also assign it to any reviewer. The list of reviewers can be found on [Engineering projects](https://about.gitlab.com/handbook/engineering/projects/) page. 386 387You can also use `workflow::ready for review` label. That means that your merge request is ready to be reviewed and any reviewer can pick it. It is recommended to use that label only if there isn't time pressure and make sure the merge request is assigned to a reviewer. 388 389When your merge request receives an approval from the first reviewer it can be passed to a maintainer. You should default to choosing a maintainer with [domain expertise](#domain-experts), and otherwise follow the Reviewer Roulette recommendation or use the label `ready for merge`. 390 391Sometimes, a maintainer may not be available for review. They could be out of the office or [at capacity](#review-response-slo). 392You can and should check the maintainer's availability in their profile. If the maintainer recommended by 393the roulette is not available, choose someone else from that list. 394 395It is the responsibility of the author for the merge request to be reviewed. If it stays in the `ready for review` state too long it is recommended to request a review from a specific reviewer. 396 397#### List of merge requests ready for review 398 399Developers who have capacity can regularly check the list of [merge requests to review](https://gitlab.com/groups/gitlab-org/-/merge_requests?state=opened&label_name%5B%5D=workflow%3A%3Aready%20for%20review) and add themselves as a reviewer for any merge request they want to review. 400 401### Reviewing a merge request 402 403Understand why the change is necessary (fixes a bug, improves the user 404experience, refactors the existing code). Then: 405 406- Try to be thorough in your reviews to reduce the number of iterations. 407- Communicate which ideas you feel strongly about and those you don't. 408- Identify ways to simplify the code while still solving the problem. 409- Offer alternative implementations, but assume the author already considered 410 them. ("What do you think about using a custom validator here?") 411- Seek to understand the author's perspective. 412- If you don't understand a piece of code, _say so_. There's a good chance 413 someone else would be confused by it as well. 414- Ensure the author is clear on what is required from them to address/resolve the suggestion. 415 - Consider using the [Conventional Comment format](https://conventionalcomments.org#format) to 416 convey your intent. 417 - For non-mandatory suggestions, decorate with (non-blocking) so the author knows they can 418 optionally resolve within the merge request or follow-up at a later stage. 419 - There's a [Chrome/Firefox add-on](https://gitlab.com/conventionalcomments/conventional-comments-button) which you can use to apply [Conventional Comment](https://conventionalcomments.org/) prefixes. 420- Ensure there are no open dependencies. Check [linked issues](../user/project/issues/related_issues.md) for blockers. Clarify with the author(s) 421if necessary. If blocked by one or more open MRs, set an [MR dependency](../user/project/merge_requests/merge_request_dependencies.md). 422- After a round of line notes, it can be helpful to post a summary note such as 423 "Looks good to me", or "Just a couple things to address." 424- Let the author know if changes are required following your review. 425 426WARNING: 427**If the merge request is from a fork, also check the [additional guidelines for community contributions](#community-contributions).** 428 429### Merging a merge request 430 431Before taking the decision to merge: 432 433- Set the milestone. 434- Consider warnings and errors from danger bot, code quality, and other reports. 435 Unless a strong case can be made for the violation, these should be resolved 436 before merging. A comment must be posted if the MR is merged with any failed job. 437- If the MR contains both Quality and non-Quality-related changes, the MR should be merged by the relevant maintainer for user-facing changes (backend, frontend, or database) after the Quality related changes are approved by a Software Engineer in Test. 438 439If a merge request is fundamentally ready, but needs only trivial fixes (such as 440typos), consider demonstrating a [bias for 441action](https://about.gitlab.com/handbook/values/#bias-for-action) by making 442those changes directly without going back to the author. You can do this by 443using the [suggest changes](../user/project/merge_requests/reviews/suggestions.md) feature to apply 444your own suggestions to the merge request. Note that: 445 446- If the changes are not straightforward, please prefer allowing the author to make the change. 447- **Before applying suggestions**, edit the merge request to make sure 448 [squash and 449 merge](../user/project/merge_requests/squash_and_merge.md#squash-and-merge) 450 is enabled, otherwise, the pipeline's Danger job fails. 451 - If a merge request does not have squash and merge enabled, and it 452 has more than one commit, then see the note below about rewriting 453 commit history. 454 455As a maintainer, if a merge request that you authored has received all required approvals, it is acceptable to show a [bias for action](https://about.gitlab.com/handbook/values/#bias-for-action) and merge your own MR, if: 456 457- The last maintainer to review intended to start the merge and did not, OR 458- The last maintainer to review started the merge, but some trivial chore caused the pipeline to break. For example, the MR might need a rebase first because of unrelated pipeline issues, or some files might need to be regenerated (like `gitlab.pot`). 459 - "Trivial" is a subjective measure but we expect project maintainers to exercise their judgement carefully and cautiously. 460 461When ready to merge: 462 463WARNING: 464**If the merge request is from a fork, also check the [additional guidelines for community contributions](#community-contributions).** 465 466- Consider using the [Squash and 467 merge](../user/project/merge_requests/squash_and_merge.md#squash-and-merge) 468 feature when the merge request has a lot of commits. 469 When merging code, a maintainer should only use the squash feature if the 470 author has already set this option, or if the merge request clearly contains a 471 messy commit history, it will be more efficient to squash commits instead of 472 circling back with the author about that. Otherwise, if the MR only has a few commits, we'll 473 be respecting the author's setting by not squashing them. 474- Start a new merge request pipeline with the `Run pipeline` button in the merge 475 request's "Pipelines" tab, and enable "Merge When Pipeline Succeeds" (MWPS). 476 Note that: 477 - If **[the default branch is broken](https://about.gitlab.com/handbook/engineering/workflow/#broken-master), 478 do not merge the merge request** except for 479 [very specific cases](https://about.gitlab.com/handbook/engineering/workflow/#criteria-for-merging-during-broken-master). 480 For other cases, follow these [handbook instructions](https://about.gitlab.com/handbook/engineering/workflow/#merging-during-broken-master). 481 - If the latest pipeline was created before the merge request was approved, start a new pipeline to ensure that full RSpec suite has been run. You may skip this step only if the merge request does not contain any backend change. 482 - If the **latest [Pipeline for Merged Results](../ci/pipelines/pipelines_for_merged_results.md)** finished less than 2 hours ago, you 483 may merge without starting a new pipeline as the merge request is close 484 enough to `main`. 485- When you set the MR to "Merge When Pipeline Succeeds", you should take over 486 subsequent revisions for anything that would be spotted after that. 487- For merge requests that have had [Squash and 488 merge](../user/project/merge_requests/squash_and_merge.md#squash-and-merge) set, 489 the squashed commit's default commit message is taken from the merge request title. 490 You're encouraged to [select a commit with a more informative commit message](../user/project/merge_requests/squash_and_merge.md) before merging. 491 492Thanks to **Pipeline for Merged Results**, authors no longer have to rebase their 493branch as frequently anymore (only when there are conflicts) because the Merge 494Results Pipeline already incorporate the latest changes from `main`. 495This results in faster review/merge cycles because maintainers don't have to ask 496for a final rebase: instead, they only have to start a MR pipeline and set MWPS. 497This step brings us very close to the actual Merge Trains feature by testing the 498Merge Results against the latest `main` at the time of the pipeline creation. 499 500### Community contributions 501 502WARNING: 503**Review all changes thoroughly for malicious code before starting a 504[Pipeline for Merged Results](../ci/pipelines/merge_request_pipelines.md#run-pipelines-in-the-parent-project-for-merge-requests-from-a-forked-project).** 505 506When reviewing merge requests added by wider community contributors: 507 508- Pay particular attention to new dependencies and dependency updates, such as Ruby gems and Node packages. 509 While changes to files like `Gemfile.lock` or `yarn.lock` might appear trivial, they could lead to the 510 fetching of malicious packages. 511- Review links and images, especially in documentation MRs. 512- When in doubt, ask someone from `@gitlab-com/gl-security/appsec` to review the merge request **before manually starting any merge request pipeline**. 513 514If the MR source branch is more than 1,000 commits behind the target branch: 515 516- Ask the author to rebase it, or consider taking a bias-for-action and rebasing it yourself 517 if the MR has "Allows commits from members who can merge to the target branch" enabled. 518- Reviewing MRs in the context of recent changes can help prevent hidden runtime conflicts and 519 promote consistency. Depending on the nature of the change, you might also want to rebase if the 520 MR is less than 1,000 commits behind. 521- A forced push could throw off the contributor, so it's a good idea to communicate that you've performed a rebase, 522 or check with the contributor first when they're actively working on the MR. 523- The rebase can usually be done inside GitLab with the `/rebase` [quick action](../user/project/quick_actions.md). 524 525When an MR needs further changes but the author is not responding for a long period of time, 526or unable to finish the MR, we can take it over in accordance with our 527[Closing policy for issues and merge requests](contributing/#closing-policy-for-issues-and-merge-requests): 528 5291. Add a comment to their MR saying you'll take it over to be able to get it merged. 5301. Add the label `~"coach will finish"` to their MR. 5311. Create a new feature branch from the main branch. 5321. Merge their branch into your new feature branch. 5331. Open a new merge request to merge your feature branch into the main branch. 5341. Link the community MR from your MR and label it as `~"Community contribution"`. 5351. Make any necessary final adjustments and ping the contributor to give them the chance to review your changes, and to make them aware that their content is being merged into the main branch. 5361. Make sure the content complies with all the merge request guidelines. 5371. Follow the regular review process as we do for any merge request. 538 539### The right balance 540 541One of the most difficult things during code review is finding the right 542balance in how deep the reviewer can interfere with the code created by a 543author. 544 545- Learning how to find the right balance takes time; that is why we have 546 reviewers that become maintainers after some time spent on reviewing merge 547 requests. 548- Finding bugs is important, but thinking about good design is important as 549 well. Building abstractions and good design is what makes it possible to hide 550 complexity and makes future changes easier. 551- Enforcing and improving [code style](contributing/style_guides.md) should be primarily done through 552 [automation](https://about.gitlab.com/handbook/values/#cleanup-over-sign-off) 553 instead of review comments. 554- Asking the author to change the design sometimes means the complete rewrite 555 of the contributed code. It's usually a good idea to ask another maintainer or 556 reviewer before doing it, but have the courage to do it when you believe it is 557 important. 558- In the interest of [Iteration](https://about.gitlab.com/handbook/values/#iteration), 559 if your review suggestions are non-blocking changes, or personal preference 560 (not a documented or agreed requirement), consider approving the merge request 561 before passing it back to the author. This allows them to implement your suggestions 562 if they agree, or allows them to pass it onto the 563 maintainer for review straight away. This can help reduce our overall time-to-merge. 564- There is a difference in doing things right and doing things right now. 565 Ideally, we should do the former, but in the real world we need the latter as 566 well. A good example is a security fix which should be released as soon as 567 possible. Asking the author to do the major refactoring in the merge 568 request that is an urgent fix should be avoided. 569- Doing things well today is usually better than doing something perfectly 570 tomorrow. Shipping a kludge today is usually worse than doing something well 571 tomorrow. When you are not able to find the right balance, ask other people 572 about their opinion. 573 574### GitLab-specific concerns 575 576GitLab is used in a lot of places. Many users use 577our [Omnibus packages](https://about.gitlab.com/install/), but some use 578the [Docker images](../install/docker.md), some are 579[installed from source](../install/installation.md), 580and there are other installation methods available. GitLab.com itself is a large 581Enterprise Edition instance. This has some implications: 582 5831. **Query changes** should be tested to ensure that they don't result in worse 584 performance at the scale of GitLab.com: 585 1. Generating large quantities of data locally can help. 586 1. Asking for query plans from GitLab.com is the most reliable way to validate 587 these. 5881. **Database migrations** must be: 589 1. Reversible. 590 1. Performant at the scale of GitLab.com - ask a maintainer to test the 591 migration on the staging environment if you aren't sure. 592 1. Categorized correctly: 593 - Regular migrations run before the new code is running on the instance. 594 - [Post-deployment migrations](post_deployment_migrations.md) run _after_ 595 the new code is deployed, when the instance is configured to do that. 596 - [Background migrations](background_migrations.md) run in Sidekiq, and 597 should only be done for migrations that would take an extreme amount of 598 time at GitLab.com scale. 5991. **Sidekiq workers** [cannot change in a backwards-incompatible way](sidekiq_style_guide.md#sidekiq-compatibility-across-updates): 600 1. Sidekiq queues are not drained before a deploy happens, so there are 601 workers in the queue from the previous version of GitLab. 602 1. If you need to change a method signature, try to do so across two releases, 603 and accept both the old and new arguments in the first of those. 604 1. Similarly, if you need to remove a worker, stop it from being scheduled in 605 one release, then remove it in the next. This allows existing jobs to 606 execute. 607 1. Don't forget, not every instance is upgraded to every intermediate version 608 (some people may go from X.1.0 to X.10.0, or even try bigger upgrades!), so 609 try to be liberal in accepting the old format if it is cheap to do so. 6101. **Cached values** may persist across releases. If you are changing the type a 611 cached value returns (say, from a string or nil to an array), change the 612 cache key at the same time. 6131. **Settings** should be added as a 614 [last resort](https://about.gitlab.com/handbook/product/#convention-over-configuration). 615 If you're adding a new setting in `gitlab.yml`: 616 1. Try to avoid that, and add to `ApplicationSetting` instead. 617 1. Ensure that it is also 618 [added to Omnibus](https://docs.gitlab.com/omnibus/settings/gitlab.yml#adding-a-new-setting-to-gitlabyml). 6191. **File system access** is not possible in a [cloud-native architecture](architecture.md#adapting-existing-and-introducing-new-components). 620 Ensure that we support object storage for any file storage we need to perform. For more 621 information, see the [uploads documentation](uploads.md). 622 623### Review turnaround time 624 625Because [unblocking others is always a top priority](https://about.gitlab.com/handbook/values/#global-optimization), 626reviewers are expected to review merge requests in a timely manner, 627even when this may negatively impact their other tasks and priorities. 628 629Doing so allows everyone involved in the merge request to iterate faster as the 630context is fresh in memory, and improves contributors' experience significantly. 631 632#### Review-response SLO 633 634To ensure swift feedback to ready-to-review code, we maintain a `Review-response` Service-level Objective (SLO). The SLO is defined as: 635 636> Review-response SLO = (time when first review is provided) - (time MR is assigned to reviewer) < 2 business days 637 638If you don't think you can review a merge request in the `Review-response` SLO 639time frame, let the author know as soon as possible in the comments 640(no later than 36 hours after first receiving the review request) 641and try to help them find another reviewer or maintainer who is able to, so that they can be unblocked 642and get on with their work quickly. Remove yourself as a reviewer. 643 644If you think you are at capacity and are unable to accept any more reviews until 645some have been completed, communicate this through your GitLab status by setting 646the `:red_circle:` emoji and mentioning that you are at capacity in the status 647text. This guides contributors to pick a different reviewer, helping us to 648meet the SLO. 649 650Of course, if you are out of office and have 651[communicated](https://about.gitlab.com/handbook/paid-time-off/#communicating-your-time-off) 652this through your GitLab.com Status, authors are expected to realize this and 653find a different reviewer themselves. 654 655When a merge request author has been blocked for longer than 656the `Review-response` SLO, they are free to remind the reviewer through Slack or add 657another reviewer. 658 659### Customer critical merge requests 660 661A merge request may benefit from being considered a customer critical priority because there is a significant benefit to the business in doing so. 662 663Properties of customer critical merge requests: 664 665- The [VP of Development](https://about.gitlab.com/job-families/engineering/development/management/vp/) ([@clefelhocz1](https://gitlab.com/clefelhocz1)) is the DRI for deciding if a merge request qualifies as customer critical. 666- The DRI applies the `customer-critical-merge-request` label to the merge request. 667- It is required that the reviewer(s) and maintainer(s) involved with a customer critical merge request are engaged as soon as this decision is made. 668- It is required to prioritize work for those involved on a customer critical merge request so that they have the time available necessary to focus on it. 669- It is required to adhere to GitLab [values](https://about.gitlab.com/handbook/values/) and processes when working on customer critical merge requests, taking particular note of family and friends first/work second, definition of done, iteration, and release when it's ready. 670- Customer critical merge requests are required to not reduce security, introduce data-loss risk, reduce availability, nor break existing functionality per the process for [prioritizing technical decisions](https://about.gitlab.com/handbook/engineering/#prioritizing-technical-decisions.md). 671- On customer critical requests, it is _recommended_ that those involved _consider_ coordinating synchronously (Zoom, Slack) in addition to asynchronously (merge requests comments) if they believe this may reduce the elapsed time to merge even though this _may_ sacrifice [efficiency](https://about.gitlab.com/company/culture/all-remote/asynchronous/#evaluating-efficiency.md). 672- After a customer critical merge request is merged, a retrospective must be completed with the intention of reducing the frequency of future customer critical merge requests. 673 674## Examples 675 676How code reviews are conducted can surprise new contributors. Here are some examples of code reviews that should help to orient you as to what to expect. 677 678**["Modify `DiffNote` to reuse it for Designs"](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/13703):** 679It contained everything from nitpicks around newlines to reasoning 680about what versions for designs are, how we should compare them 681if there was no previous version of a certain file (parent vs. 682blank `sha` vs empty tree). 683 684**["Support multi-line suggestions"](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/25211)**: 685The MR itself consists of a collaboration between FE and BE, 686and documenting comments from the author for the reviewer. 687There's some nitpicks, some questions for information, and 688towards the end, a security vulnerability. 689 690**["Allow multiple repositories per project"](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/10251)**: 691ZJ referred to the other projects (workhorse) this might impact, 692suggested some improvements for consistency. And James' comments 693helped us with overall code quality (using delegation, `&.` those 694types of things), and making the code more robust. 695 696**["Support multiple assignees for merge requests"](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/10161)**: 697A good example of collaboration on an MR touching multiple parts of the codebase. Nick pointed out interesting edge cases, James Lopez also joined in raising concerns on import/export feature. 698 699### Credits 700 701Largely based on the [`thoughtbot` code review guide](https://github.com/thoughtbot/guides/tree/master/code-review). 702