Updates to reflect best practices for PR review

[trmartin4]

Objective

With the addition of CODEOWNERS and the maturation of the component teams, I felt it would be good to clarify the expectations around PR authors and reviewers.

These updates include some changes to the contract between PR author and reviewers, namely with the expectation that PR reviews should take place with 24 hours and that Github notifications should be the primary source of review requests. These have come from a running list that I've been compiling with pain points in our current process, gathered from retros and from other meetings.

I'd welcome any feedback and clarifications on this, as I'd like this PR to serve as a prompt for discussion prior to implementing any of these process changes. If agreed upon, I plan to update the teams in Slack as well to clarify and answer any questions.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Pages

Latest commit:	815208e
Status:	✅  Deploy successful!
Preview URL:	https://6b2b42a4.contributing-docs.pages.dev
Branch Preview URL:	https://pr-review-updates.contributing-docs.pages.dev

View logs

[bitwarden-bot]

Checkmarx One – Scan Summary & Details – 75e59248-54fc-4fb5-a422-c42c72e534b9

No New Or Fixed Issues Found

[eliykat]

Has the team agreed to a 24 hour PR review deadline? I haven't seen any discussion about this, but I may have missed it.

[Hinton]

Not to my knowledge. I'm not against this though but it should be communicated.

I also think we need to spend further effort to clean up tech-leads codeowners since I haven't found a way to exclude them from review filters.

[trmartin4]

I agree. I wanted to discuss here and then communicate in a bulleted list to the teams in Slack. This felt like a good place to start the discussion. I’m not in any way pushing for 24 - if we want to have a longer timeframe that’s fine. My main concern is having everyone bought in on what the timeframe is so we don’t have to resort to pinging on Slack for every PR.

[withinfocus]

Maybe "business day"? I personally feel one day is actually pretty tough unless engineers can be in formal support rotations and have this as a priority.

[eliykat]

I'm not sure what would be a reasonable deadline here, although I agree 1 business day is tight. 2 business days?

This is not a very visible place for discussion and this would be a fairly major change to the current expectations, I suggest sharing in Slack.

[trmartin4]

After discussion with Tech Leads and EMs, we settled on 48 hours. I've addressed that in 3131dcf

[Hinton]

Why are we setting sidebar positions on these? Do we dislike the alphabetical ordering?

[trmartin4]

It wasn't ordering alphabetically before - the positions are to order it alphabetically. I'll take them out and double-check that I'm correct in that statement.

[Hinton]

I would argue that every review comes with this obligations. I'm worried this might associate request changes negatively.

[withinfocus]

Can you elaborate? Not sure why this language change does anything more than expect the reviewer to stay engaged.

I too want to be sure "request changes" is taken very objectively.

[Hinton]

"However, it does come with obligations for the reviewer. By blocking the PR from progressing, they have taken an ownership stake in it and should make themselves available to answer clarifying questions. They should also give clear feedback on what needs to change for the PR to get approved."

Leaving any review usually comes with these obligations. I would prefer to see this lifted into some general section. I do think we can highlight that request changes blocks the PR from moving.

[trmartin4]

I tried to bridge this distinction with the changes I just pushed - I added a section at the top of the "Reviewing" section that applies to all types of review, and changed this section to indicate that "additional responsibility" is implied by blocking the PR. Let me know how that looks.

[Hinton]

The reason this was inlined before was to get it in the same sentence. Just wanted to verify this is an intentional change.

[trmartin4]

I think it's back to the way it was now. I had separated it out so that the tags were clearer, but I do see that it flows better as a single paragraph.

[Hinton]

Do we want to leave a note somewhere about re-requesting review once the feedback is resolved? I've noticed it's sometimes not done which delays new reviews.

[withinfocus]

Also support. This helps a lot, especially when many teams are involved in a review.

[trmartin4]

I created a section called "Addressing feedback" that includes this, as well as a recommendation to allow the commenter to "Resolve conversation" - if that's not our position I can remove that part.

[Hinton]

I would want us to document some available integrations, and give teams a chance to start using them, before actively enforcing it.

[withinfocus]

Handy link on more info: https://docs.github.com/en/enterprise-cloud@latest/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team

I don't know if we need anything more than what GitHub provides. Maybe Slack reminders?

[Hinton]

I get 30+ notifications daily which makes GH notifications mostly unusable without spending a non trivial amount of time maintaining it.

[trmartin4]

I've added a section for this:
.

My assumption was that the build-in reminder integration with Slack was sufficient and we didn't need to customize anything, but that may not be the case.

[eliykat]

I expect that removing tech-leads as the default reviewer should help with notification overload.

[withinfocus]

Objectively requesting changes, with some subjectivity on comma usage included 😜!

[withinfocus]

Suggested change

	changes can potentially save a lot of time.
	changes can save a lot of time.

[trmartin4]

This has been fixed with the latest set of commits.

[withinfocus]

Can you elaborate? Not sure why this language change does anything more than expect the reviewer to stay engaged.

I too want to be sure "request changes" is taken very objectively.

[withinfocus]

Suggested change

	- Are there unit tests present?
	- Are unit tests present?

[trmartin4]

Fixed in the latest commits.

[withinfocus]

Suggested change

	Once a community PRs has been created, they will be automatically be linked to an internal Jira ticket. The
	Once a community PR has been created, it will be automatically be linked to an internal Jira ticket. The

[trmartin4]

Fixed in the latest commits.

[withinfocus]

Handy link on more info: https://docs.github.com/en/enterprise-cloud@latest/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team

I don't know if we need anything more than what GitHub provides. Maybe Slack reminders?

[withinfocus]

Maybe "business day"? I personally feel one day is actually pretty tough unless engineers can be in formal support rotations and have this as a priority.

[withinfocus]

Suggested change

	team(s) - or to individual engineers if assigned - via Slack to follow up.
	team(s) -- or to individual engineers if assigned -- via Slack to follow up.

[trmartin4]

Fixed in the latest commits.

[withinfocus]

ℹ️ Other thread will potentially need updating here too.

[withinfocus]

Suggested change

	Once a Community PR has been created, a Bitwarden developer will perform a code review. While we try
	Once a Community PR has been created a Bitwarden developer will perform a code review. While we try

[trmartin4]

Fixed in the latest commits.

[trmartin4]

Thank you @Hinton, @eliykat, and @withinfocus for the feedback!

I've made some adjustments to the more trivial changes, but I feel there are a few larger outstanding items:

1. Timeframe: What is an acceptable timeframe to expect a reviewing team to perform the review before following up? My initial off-the-cuff proposal was 24 hours, but this needs further discussion.
2. Notifications: Are the OOTB scheduled reminders from Github sufficient to give teams the visibility they need for open PRs?
3. Conventional Comments: What do we want to stay about conventional comments? If it would be easier I can leave that section out, as it's something I assumed there was agreement on and didn't mean to divert the larger goal of this PR.

Without objections, I can raise these 3 questions to the larger group via Slack.

[withinfocus]

Is the preview working for others? It seems to not have these changes for me. On the open topics:

1. Could we suggest "2-3 business days"? Feels like a middle ground for sometime in a business week to keep progress going.
2. I feel they are and never had anything more than a Slack integration and email where it worked for much larger organizations.
3. I suggest we leave it out. I feel there's a lot of disagreement over how much to prescribe on PR comments.

My remaining comments are super-minor.

[withinfocus]

ℹ️ I didn't know these links could have spaces in them and they're usually shorthand, but if it works ...

[MGibson1]

issue: This line needs to be expanded upon and supported by a section informing the author on how to create PRs for an intended change. This could be added to the branching document and linked here.

I think this is the primary reason for our large PR backlog. My recommendation would be limiting PRs to 1000 loc and preferring config or software feature flagging to allow for incomplete features to be present in the codebase.

Suggested change

	- Ask the author to split the work into a smaller PR for review
	- Ask the author to split the work into a smaller PR for review. Suggest reasonable axes to on which to divide the work (see [branching for large features](#link-to-new-section)

[trmartin4]

@MGibson1, I've addressed this by completely revamping the branching page, in 440c84d. As we are moving closer to a trunk-based branching scheme, with the preference toward merging to master, I felt that it was better to focus on how to build small, incremental changes and not detail the complex branching scenarios we had to handle previously around Short-Lived Feature Branches and Long-Lived Feature Branches. I'd welcome any feedback on it, especially on ways to think about breaking up work - that was very much my attempt at condensing feedback and adding intuition to it to come up with some ideas.

I also thought that something like this might be nice to have: https://github.com/marketplace/actions/pull-request-size-labeler

[MGibson1]

I think you nailed it, thank you.

I'm not really that convinced that the labels would have value, but the concept certainly does. If you think that'll help encourage people to smaller bites let's do it!

[withinfocus]

Feels like this is at a good place for merge and to potentially make other improvements elsewhere.

[eliykat]

All comments are non-blocking, happy for you to share with the team or otherwise progress this. We can revisit these questions later if required.

[eliykat]

(non-blocking) Are we practicing long-lived feature branches at all any more? Is there any continued justification for them? I prefer to just have one way to do things (that is, the correct way) when possible.

[trmartin4]

I feel like there is still a scenario in which large features would like to be introduced together due to either technical or product-driven considerations, but we can't put them behind a feature flag. The Vertical Vault Nav changes are an example. Perhaps I can supplement this with a follow-up PR that extracts this into a callout that highlights how it's not our current best practice?

[eliykat]

This is a major change to our current practices, which are less strict about this. This is worth highlighting when this is shared more broadly.

[eliykat]

This is also a significant clarification (different people do different things at the moment) - would like this highlighted when these changes are shared

[eliykat]

I expect that removing tech-leads as the default reviewer should help with notification overload.

[eliykat]

I know this is going to be shared for discussion, but my 2 cents: I would prefer this be expressed in business days rather than hours. e.g. you cannot (should not) review code on public holidays or weekends.

2 business days seems fine to me as a starting point.

[trmartin4]

This has been addressed with 97745a9 (#220).

[MGibson1]

@trmartin4 are you still working on this improvement?

[trmartin4]

@MGibson1 yes, actually I had this in my To Do list and it's been surpassed by some other things that have come up.

My next steps were to consolidate all the items that require highlighting as a significant change to our current process, and publish this change along with a notification in Slack. My current list of those updates are:

• Highlight the importance of unit tests for PR approval
• Establish the best practice that the originator of the comment thread should mark it Resolved, rather than the author
• The contract between the teams is that the reviewing team should act on the Github notification (through their configured notification method) and not rely on Slack posts

Am I missing anything else?

[withinfocus]

My requests have long been solved.

Your main branch rename is probably in 500 other places ...

[trmartin4]

Your main branch rename is probably in 500 other places ...

@withinfocus these should already have been fixed in main. I just had to adjust the references in the part of the docs that had merge conflicts with my changes.