Repo ownershipΒ #59
Description
The goal of this issue is to work on technical debt for a repository as part of the codebase ownership initiative. It is organized around team members regularly reviewing the state of codebases.
Creating a tech day ticket is not required to work on tech debt, but can be a helpful resource to identify areas of focus.
Recommendations
You will not be able to address the entierety of a codebase tech debt in one go, organization is key to make sure you wrap-up time spent on a codebase with concrete deliverables.
When dedicating a fixed amount of time on a codebase, we recommend the following schedule:
- Begin by reviewing the checklist attached to this ticket, identify and prioritize activities you would be able to complete within the dedicated time.
- Work on said items.
- Wrap up by briefly documenting the changes you did, provide instructions for testing and eventually create issues for activities you'd like to work on next. You can do so by adding a comment to this issue.
Create tickets for future work
Not all tech debt items can be addressed in one day, one of the goal of the ownership initiative is also to raise awareness about tech debt to be tackled in the future.
When creating such tickets, try to provide details about complexity of such an implementation. These elements play a role in our capacity to prioritize work.
About priorities
- π¨ Indicates a required item, to be looked at
- π Indicates a top priority item
- π Indicates a medium priority item
- π Indicates a low priority item
Checklist
This checklist is there to help you but is not exaustive, if some items are not relevant or should be added, please request a change.
General
- π¨ I reviewed all OPEN tickets planned for an upcoming release (using codebase-X.Y.Z milestone)
- π¨ I reviewed older tech day tickets / ownership activities for that codebase
- π I submitted updates to the tech-day template if I noticed incorrect elements
- π Standards have been discussed in a tech kumite in the past semester
- π Module's license is up-to-date (see https://github.com/Jahia/open-source/blob/master/README.md#licenses)
Dependency management
- π I've identified the process/tools to handle dependency updates (ex: renovate)
- π Ensure licenses used by the libraries are Jahia compliant
- π Remove unused libraries
Jahia Modules
- π¨ If the codebase is a module shipped with the distribution, the latest version with changes is configured in jahia-pack (core or additional-modules)
- π Make sure dependencies (and appropriate version if needed) are declared in jahia-depends
Static Analysis and code quality
- π¨ No Blocker issues on Sonarqube for the module
- π No warnings or errors are present when building the module locally or on GitHub Actions
- π The module scores "A" on every Sonarqube categories for Overall Code
- π No Critical/Major issues on Sonarqube for the module
- π I reviewed opportunities to remove dead/unused/unreachable code
- π No Minor/Info issues on Sonarqube for the module
Javascript
- π The module's webpack config is correct (sample)
- π The module is using a supported LTS version of (NodeJS)
- π The module is using React v18+
- π The module is using Moonstone v2+
- π The module is not using any of the following Jahia's legacy libs:
- react-material
- moonstone-alpha
- π Dependencies listed in packages.json are still maintained (latest release not older than 6 months)
- π Dependencies listed in packages.json are no more than 2 major versions behind their latest release
- π Linting is executed properly and show no warnings
- π No warning are presents in the browser console when using the app
Java
- π Java dependencies are explicitly declared in the module's pom.xml
- π Spring is not used in the module
Security
- π¨ SBOM is generated (configuration available here) and uploaded to Dependency Track
- π I've reviewed the security vulnerabilities and hotspots affecting this codebase and discussed it with the Security lead before taking action (Create a SECURITY ticket, Close as false-positive, etc.)
- π I've reviewed the vulnerabilities affecting the libraries used by the module (related documentation) and discussed it with the Security lead before taking action (Create a SECURITY ticket, Close as false-positive, etc.)
- π A job running Sonar checks (including OWASP Dependency Check) is executed regularly
QA / Automated Tests
- π¨ The codebase is compatible with the latest release of Jahia
- π Automated tests are using jahia-cypress for all utils functions
- π The test framework is using page-object models published by other modules
- π The test framework is publishing its own page-object models for use by others
- π A manual-run workflow is available (ex: manual-run.yml)
- π Instructions and test cases are available to document how a release should be tested (how to do the "sanity check" of this module)
- π Automated tests are using a recent version of Cypress
- π Automated tests are only relying on supported modules
CI/CD
- π The build and the release workflows use the JDK 11 image (only if Jahia Parent is set to 8.2.0.0+) from temurin vendor
- π GitHub Actions (nightlys and other workflows) are executed without warnings nor errors (such as depreciations, failed tests, ...)
- π The latest version of the actions are used (including jahia-modules-action)
- π GitHub Actions reusable workflows are used
Documentation
- π Readme.md is up-to-date (module purpose, technical details, configuration steps)
- π A tech roadmap is available
- π Module's documentation available on the academy is up-to-date
Issues
- π If the repository is public, issues/pull requests from the community have been reviewed and answered, if answer was not possible, a PM/DM was notified.
GitHub
- π¨ Branch protection is enabled for the repository
- π The repository uses the organization-level template for the Pull Requests. Make sure the repository does not contain its own template (
.github/PULL_REQUEST_TEMPLATE.md) that takes precedence over the organization-level one - π Automatically delete head branches is selected in Settings
- π Repository topics match are populated (at a minimum: "product" and "supported")
- π Stale branches or branches older than 2 years (non-maintenance branches) have been removed
Fork checklist
This checklist is focused on our forked repositories
General
- π¨ I checked that we cannot stop using a fork of the library
- π¨ I created pull requests to push the fixes done in our fork to the main repository
- π¨ I checked that we cannot upgrade to a more recent
- π¨ I checked that we've documented why we're still using a fork of this library in confluence
Security
- π I checked that there are no known security vulnerabilities affecting this codebase
- π I've analyzed the vulnerabilities (related documentation) and discussed with the Security lead before taking action (Create a SECURITY ticket, Close as false-positive, etc.)
CI/CD
- π¨ The build and the release/publish workflows are configured (or at least documented in confluence)
GitHub
- π¨ Branch protection is enabled for the repository
- π The repository uses the organization-level template for the Pull Requests. Make sure the repository does not contain its own template (
.github/PULL_REQUEST_TEMPLATE.md) that takes precedence over the organization-level one - π Automatically delete head branches is selected in Settings
- π Repository topics match are populated (at a minimum: "product" and "supported")