gitea/CONTRIBUTING.md
Antoine GIRARD 048468560f Add security advice to contrib guide (#4187)
* Improve contributing guidelines for security
2018-06-09 12:03:23 -04:00

11 KiB

Contribution Guidelines

Table of Contents

Introduction

This document explains how to contribute changes to the Gitea project.
It assumes you have followed the
installation instructions.
Sensitive security-related issues should be reported to
security@gitea.io.

For configuring IDE or code editor to develop Gitea see IDE and code editor configuration

Bug reports

Please search the issues on the issue tracker with a variety of keywords
to ensure your bug is not already reported.

If unique, open an issue
and answer the questions so we can understand and reproduce the
problematic behavior.

To show us that the issue you are having is in Gitea itself, please
write clear, concise instructions so we can reproduce the behavior—
even if it seems obvious. The more detailed and specific you are,
the faster we can fix the issue. Check out How to Report Bugs
Effectively
.

Please be kind, remember that Gitea comes at no cost to you, and you're
getting free help.

Discuss your design

The project welcomes submissions. If you want to change or add something,
please let everyone know what you're working on—file an issue!
Significant changes must go through the change proposal process
before they can be accepted. To create a proposal, file an issue with
your proposed changes documented, and make sure to note in the title
of the issue that it is a proposal.

This process gives everyone a chance to validate the design, helps
prevent duplication of effort, and ensures that the idea fits inside
the goals for the project and tools. It also checks that the design is
sound before code is written; the code review tool is not the place for
high-level discussions.

Testing redux

Before sending code out for review, run all the tests for the
whole tree to make sure the changes don't break other usage
and keep the compatibility on upgrade. To make sure you are
running the test suite exactly like we do, you should install
the CLI for Drone CI, as
we are using the server for continous testing, following these
instructions
. After that,
you can simply call drone exec --local --build-event "pull_request" within
your working directory and it will try to run the test suite locally.

Vendoring

We keep a cached copy of dependencies within the vendor/ directory,
managing updates via dep.

Pull requests should only include vendor/ updates if they are part of
the same change, be it a bugfix or a feature addition.

The vendor/ update needs to be justified as part of the PR description,
and must be verified by the reviewers and/or merger to always reference
an existing upstream commit.

You can find more information on how to get started with it on the dep project website.

Translation

We do all translation work inside Crowdin.
The only translation that is maintained in this git repository is
en_US.ini
and is synced regularily to Crowdin. Once a translation has reached
A SATISFACTORY PERCENTAGE it will be synced back into this repo and
included in the next released version.

Building Gitea

Generally, the go build tools are installed as-needed in the Makefile.
An exception are the tools to build the CSS and images.

  • To build CSS: Install Node.js
    with npm and then run npm install and make generate-stylesheets.
  • To build Images: ImageMagick, inkscape and zopflipng binaries must be
    available in your PATH to run make generate-images.

Code review

Changes to Gitea must be reviewed before they are accepted—no matter who
makes the change, even if they are an owner or a maintainer. We use GitHub's
pull request workflow to do that. And, we also use LGTM
to ensure every PR is reviewed by at least 2 maintainers.

Please try to make your pull request easy to review for us. And, please read
the How to get faster PR reviews guide;
it has lots of useful tips for any project you may want to contribute.
Some of the key points:

  • Make small pull requests. The smaller, the faster to review and the
    more likely it will be merged soon.
  • Don't make changes unrelated to your PR. Maybe there are typos on
    some comments, maybe refactoring would be welcome on a function... but
    if that is not related to your PR, please make another PR for that.
  • Split big pull requests into multiple small ones. An incremental change
    will be faster to review than a huge PR.

Styleguide

For imports you should use the following format (without the comments)

import (
  // stdlib
  "encoding/json"
  "fmt"

  // local packages
  "code.gitea.io/gitea/models"
  "code.gitea.io/sdk/gitea"

  // external packages
  "github.com/foo/bar"
  "gopkg.io/baz.v1"
)

Sign-off your work

The sign-off is a simple line at the end of the explanation for the
patch. Your signature certifies that you wrote the patch or otherwise
have the right to pass it on as an open-source patch. The rules are
pretty simple: If you can certify DCO, then you just add a line
to every git commit message:

Signed-off-by: Joe Smith <joe.smith@email.com>

Please use your real name; we really dislike pseudonyms or anonymous
contributions. We are in the open-source world without secrets. If you
set your user.name and user.email git configs, you can sign-off your
commit automatically with git commit -s.

Release Cycle

We adopted a release schedule to streamline the process of working
on, finishing, and issuing releases. The overall goal is to make a
minor release every two months, which breaks down into one month of
general development followed by one month of testing and polishing
known as the release freeze. All the feature pull requests should be
merged in the first month of one release period. And, during the frozen
period, a corresponding release branch is open for fixes backported from
master. Release candidates are made during this period for user testing to
obtain a final version that is maintained in this branch. A release is
maintained by issuing patch releases to only correct critical problems
such as crashes or security issues.

Major release cycles are bimonthly. They always begin on the 25th and end on
the 24th (i.e., the 25th of December to February 24th).

During a development cycle, we may also publish any necessary minor releases
for the previous version. For example, if the latest, published release is
v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are
still possible.

Maintainers

To make sure every PR is checked, we have team
maintainers
. Every PR MUST be reviewed by at least
two maintainers (or owners) before it can get merged. A maintainer
should be a contributor of Gitea (or Gogs) and contributed at least
4 accepted PRs. A contributor should apply as a maintainer in the
Discord #develop channel. The owners
or the team maintainers may invite the contributor. A maintainer
should spend some time on code reviews. If a maintainer has no
time to do that, they should apply to leave the maintainers team
and we will give them the honor of being a member of the advisors
team
. Of course, if
an advisor has time to code review, we will gladly welcome them back
to the maintainers team. If a maintainer is inactive for more than 3
months and forgets to leave the maintainers team, the owners may move
him or her from the maintainers team to the advisors team.
For security reasons, Maintainers should use 2FA for their accounts and
if possible provide gpg signed commits.
https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
https://help.github.com/articles/signing-commits-with-gpg/

Owners

Since Gitea is a pure community organization without any company support,
to keep the development healthy we will elect three owners every year. All
contributors may vote to elect up to three candidates, one of which will
be the main owner, and the other two the assistant owners. When the new
owners have been elected, the old owners will give up ownership to the
newly elected owners. If an owner is unable to do so, the other owners
will assist in ceding ownership to the newly elected owners.
For security reasons, Owners or any account with write access (like a bot)
must use 2FA.
https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

After the election, the new owners should proactively agree
with our CONTRIBUTING requirements in the
Discord #general channel. Below are the
words to speak:

I'm honored to having been elected an owner of Gitea, I agree with
[CONTRIBUTING](CONTRIBUTING.md). I will spend part of my time on Gitea
and lead the development of Gitea.

To honor the past owners, here's the history of the owners and the time
they served:

Versions

Gitea has the master branch as a tip branch and has version branches
such as release/v0.9. release/v0.9 is a release branch and we will
tag v0.9.0 for binary download. If v0.9.0 has bugs, we will accept
pull requests on the release/v0.9 branch and publish a v0.9.1 tag,
after bringing the bug fix also to the master branch.

Since the master branch is a tip version, if you wish to use Gitea
in production, please download the latest release tag version. All the
branches will be protected via GitHub, all the PRs to every branch must
be reviewed by two maintainers and must pass the automatic tests.

Code that you contribute should use the standard copyright header:

// Copyright 2018 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

Files in the repository contain copyright from the year they are added
to the year they are last changed. If the copyright author is changed,
just paste the header below the old one.