0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-25 11:22:50 +01:00
gitea/CONTRIBUTING.md
Antoine GIRARD 048468560f Add security advice to contrib guide (#4187)
* Improve contributing guidelines for security
2018-06-09 12:03:23 -04:00

11 KiB

Contribution Guidelines

Table of Contents

Introduction

This document explains how to contribute changes to the Gitea project. It assumes you have followed the installation instructions. Sensitive security-related issues should be reported to security@gitea.io.

For configuring IDE or code editor to develop Gitea see IDE and code editor configuration

Bug reports

Please search the issues on the issue tracker with a variety of keywords to ensure your bug is not already reported.

If unique, open an issue and answer the questions so we can understand and reproduce the problematic behavior.

To show us that the issue you are having is in Gitea itself, please write clear, concise instructions so we can reproduce the behavior— even if it seems obvious. The more detailed and specific you are, the faster we can fix the issue. Check out How to Report Bugs Effectively.

Please be kind, remember that Gitea comes at no cost to you, and you're getting free help.

Discuss your design

The project welcomes submissions. If you want to change or add something, please let everyone know what you're working on—file an issue! Significant changes must go through the change proposal process before they can be accepted. To create a proposal, file an issue with your proposed changes documented, and make sure to note in the title of the issue that it is a proposal.

This process gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits inside the goals for the project and tools. It also checks that the design is sound before code is written; the code review tool is not the place for high-level discussions.

Testing redux

Before sending code out for review, run all the tests for the whole tree to make sure the changes don't break other usage and keep the compatibility on upgrade. To make sure you are running the test suite exactly like we do, you should install the CLI for Drone CI, as we are using the server for continous testing, following these instructions. After that, you can simply call drone exec --local --build-event "pull_request" within your working directory and it will try to run the test suite locally.

Vendoring

We keep a cached copy of dependencies within the vendor/ directory, managing updates via dep.

Pull requests should only include vendor/ updates if they are part of the same change, be it a bugfix or a feature addition.

The vendor/ update needs to be justified as part of the PR description, and must be verified by the reviewers and/or merger to always reference an existing upstream commit.

You can find more information on how to get started with it on the dep project website.

Translation

We do all translation work inside Crowdin. The only translation that is maintained in this git repository is en_US.ini and is synced regularily to Crowdin. Once a translation has reached A SATISFACTORY PERCENTAGE it will be synced back into this repo and included in the next released version.

Building Gitea

Generally, the go build tools are installed as-needed in the Makefile. An exception are the tools to build the CSS and images.

  • To build CSS: Install Node.js with npm and then run npm install and make generate-stylesheets.
  • To build Images: ImageMagick, inkscape and zopflipng binaries must be available in your PATH to run make generate-images.

Code review

Changes to Gitea must be reviewed before they are accepted—no matter who makes the change, even if they are an owner or a maintainer. We use GitHub's pull request workflow to do that. And, we also use LGTM to ensure every PR is reviewed by at least 2 maintainers.

Please try to make your pull request easy to review for us. And, please read the How to get faster PR reviews guide; it has lots of useful tips for any project you may want to contribute. Some of the key points:

  • Make small pull requests. The smaller, the faster to review and the more likely it will be merged soon.
  • Don't make changes unrelated to your PR. Maybe there are typos on some comments, maybe refactoring would be welcome on a function... but if that is not related to your PR, please make another PR for that.
  • Split big pull requests into multiple small ones. An incremental change will be faster to review than a huge PR.

Styleguide

For imports you should use the following format (without the comments)

import (
  // stdlib
  "encoding/json"
  "fmt"

  // local packages
  "code.gitea.io/gitea/models"
  "code.gitea.io/sdk/gitea"

  // external packages
  "github.com/foo/bar"
  "gopkg.io/baz.v1"
)

Sign-off your work

The sign-off is a simple line at the end of the explanation for the patch. Your signature certifies that you wrote the patch or otherwise have the right to pass it on as an open-source patch. The rules are pretty simple: If you can certify DCO, then you just add a line to every git commit message:

Signed-off-by: Joe Smith <joe.smith@email.com>

Please use your real name; we really dislike pseudonyms or anonymous contributions. We are in the open-source world without secrets. If you set your user.name and user.email git configs, you can sign-off your commit automatically with git commit -s.

Release Cycle

We adopted a release schedule to streamline the process of working on, finishing, and issuing releases. The overall goal is to make a minor release every two months, which breaks down into one month of general development followed by one month of testing and polishing known as the release freeze. All the feature pull requests should be merged in the first month of one release period. And, during the frozen period, a corresponding release branch is open for fixes backported from master. Release candidates are made during this period for user testing to obtain a final version that is maintained in this branch. A release is maintained by issuing patch releases to only correct critical problems such as crashes or security issues.

Major release cycles are bimonthly. They always begin on the 25th and end on the 24th (i.e., the 25th of December to February 24th).

During a development cycle, we may also publish any necessary minor releases for the previous version. For example, if the latest, published release is v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are still possible.

Maintainers

To make sure every PR is checked, we have team maintainers. Every PR MUST be reviewed by at least two maintainers (or owners) before it can get merged. A maintainer should be a contributor of Gitea (or Gogs) and contributed at least 4 accepted PRs. A contributor should apply as a maintainer in the Discord #develop channel. The owners or the team maintainers may invite the contributor. A maintainer should spend some time on code reviews. If a maintainer has no time to do that, they should apply to leave the maintainers team and we will give them the honor of being a member of the advisors team. Of course, if an advisor has time to code review, we will gladly welcome them back to the maintainers team. If a maintainer is inactive for more than 3 months and forgets to leave the maintainers team, the owners may move him or her from the maintainers team to the advisors team. For security reasons, Maintainers should use 2FA for their accounts and if possible provide gpg signed commits. https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/ https://help.github.com/articles/signing-commits-with-gpg/

Owners

Since Gitea is a pure community organization without any company support, to keep the development healthy we will elect three owners every year. All contributors may vote to elect up to three candidates, one of which will be the main owner, and the other two the assistant owners. When the new owners have been elected, the old owners will give up ownership to the newly elected owners. If an owner is unable to do so, the other owners will assist in ceding ownership to the newly elected owners. For security reasons, Owners or any account with write access (like a bot) must use 2FA. https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

After the election, the new owners should proactively agree with our CONTRIBUTING requirements in the Discord #general channel. Below are the words to speak:

I'm honored to having been elected an owner of Gitea, I agree with
[CONTRIBUTING](CONTRIBUTING.md). I will spend part of my time on Gitea
and lead the development of Gitea.

To honor the past owners, here's the history of the owners and the time they served:

Versions

Gitea has the master branch as a tip branch and has version branches such as release/v0.9. release/v0.9 is a release branch and we will tag v0.9.0 for binary download. If v0.9.0 has bugs, we will accept pull requests on the release/v0.9 branch and publish a v0.9.1 tag, after bringing the bug fix also to the master branch.

Since the master branch is a tip version, if you wish to use Gitea in production, please download the latest release tag version. All the branches will be protected via GitHub, all the PRs to every branch must be reviewed by two maintainers and must pass the automatic tests.

Code that you contribute should use the standard copyright header:

// Copyright 2018 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

Files in the repository contain copyright from the year they are added to the year they are last changed. If the copyright author is changed, just paste the header below the old one.