Require review of contributions
Peer-review of contributions is essential for code quality, reducing security risks and operational risks.
Requiring thorough review of contributions encourages a culture of making sure every contribution is of high quality, completeness and value. Code review increases the chance of discovering and fixing potential bugs or mistakes before they are added to the codebase. Knowing that all code was reviewed discourages a culture of blaming individuals, and encourages a culture of focusing on solutions.
A policy of prompt reviews assures contributors of a guaranteed time for feedback or collaborative improvement, which increases both rate of delivery and contributor engagement.
- All contributions that are accepted or committed to release versions of the codebase MUST be reviewed by another contributor.
- Reviews MUST include source, policy, tests and documentation.
- Reviewers MUST provide feedback on all decisions to not accept a contribution.
- The review process SHOULD confirm that a contribution conforms to the standards, architecture and decisions set out in the codebase in order to pass review.
- Reviews SHOULD include running both the code and the tests of the codebase.
- Contributions SHOULD be reviewed by someone in a different context than the contributor.
- Version control systems SHOULD NOT accept non-reviewed contributions in release versions.
- Reviews SHOULD happen within two business days.
- Performing reviews by multiple reviewers is OPTIONAL.
How to test
- Confirm that every commit in the history has been reviewed by a different contributor.
- Confirm that reviews include source, policy, tests and documentation.
- Confirm that rejected contributions were appropriately explained.
- Check if guidelines for reviewers include instructions to review for conformance to standards, architecture and codebase guidelines.
- Check with reviewers if they run the code and tests during review.
- Check with reviewers if commits have been reviewed by a different contributor in a different context.
- Check for use of branch protection in the version control system.
- Check the times between contribution submission and review.
Public policy makers: what you need to do
- Institute a ‘four eyes’ policy where everything, not just code, is reviewed.
- Use a version control system or methodology that enables review and feedback.
Managers: what you need to do
- Make delivering great code a shared objective.
- Make sure writing and reviewing contributions to source, policy, documentation and tests are considered equally valuable.
- Create a culture where all contributions are welcome and everyone is empowered to review them.
- Make sure no contributor is ever alone in contributing to a codebase.
Developers and designers: what you need to do
- Ask other contributors on the codebase to review your work, in your organization or outside of it.
- Try to respond to others’ requests for code review promptly, initially providing feedback about the concept of the change.
- How to review code the GDS way by the UK Government Digital Service.
- Branch protection on GitHub and GitLab.
- The Gentle Art of Patch Review by Sage Sharp.
- Measuring Engagement by Mozilla.