Create a section of the tac repo for project best practices guides (#1194)

lgritz · jmertic · web-flow · commit 7ee7b330d7f3 · 2025-11-19T13:37:32.000-08:00
* Create a section of the tac repo for project best practices guides

- Reserve this space and invite others to start writing or adding to
  guides.
- Contribute one full guide for code review, based on an extensive
  guide written for OpenImageIO last year.
- Placeholders for other topics we know we'll want: ci, testing,
  security, releasing

Signed-off-by: Larry Gritz &lt;lg@larrygritz.com&gt;

* Make it fit in the navigation correctly

Signed-off-by: John Mertic &lt;jmertic@linuxfoundation.org&gt;

---------

Signed-off-by: Larry Gritz &lt;lg@larrygritz.com&gt;
Signed-off-by: John Mertic &lt;jmertic@linuxfoundation.org&gt;
Co-authored-by: John Mertic &lt;jmertic@linuxfoundation.org&gt;
diff --git a/project_best_practices_guides/README.md b/project_best_practices_guides/README.md
@@ -0,0 +1,30 @@
+---
+title: Best Practices
+nav_order: 55
+---
+
+ASWF Project Best Practices -- Overview
+=======================================
+
+The contents of this directory contain best practices guides for ASWF
+projects. Nothing here is mandatory (at least, not simply by virtue of being
+documented here). But this area is meant to provide what we believe is the
+best current advice for projects.
+
+Some suggested best practices for the best practices guides:
+
+- Use MarkDown. Name the files intuitively, use lower case and underscores
+  between words.
+- These are living documents. Please -- especially project leads -- feel free
+  to amend guides or add new guides via PR to the tac repo.
+- You don't need to spell everything out in gory detail. Often, it is
+  sufficient to list practices in an overview or bullet-point style, with each
+  one providing a link to a specific implementation in a project we think has
+  done it especially well, which can then provide enough of an example to be
+  replicated.
+- Point out parts that are likely to need project-specific preferences or
+  needs (such as projects having different requirements for the minimum number
+  of reviewers approving a PR).
+- When projects approach something differently, it's helpful to point out
+  briefly how different projects do it: "OpenEXR did X, MaterialX did Y,
+  and OpenVDB did Z."
diff --git a/project_best_practices_guides/ci.md b/project_best_practices_guides/ci.md
@@ -0,0 +1,24 @@
+---
+parent: Best Practices
+---
+
+CI Best Practices
+=================
+
+This document is a placeholder. Some topics we will want to remember to cover:
+- Various workflows
+- PR vs nightly vs push
+- Uses of ASWF docker containers
+- Paid runners for special needs: high-memory, high processing, or GPU
+- Selecting test coverage -- HW/OS platforms, VFX Platform years, testing things
+  older or newer then VFXP years.
+- "Bleeding edge" and "canary" tests
+- Making python wheels
+- CI jobs for analysis (static analysis, sanitizers)
+- Using Sonar or other systems
+- Efficiency of CI runs
+  - GHA caching
+  - ccache
+- Various GHA tips
+  - Shared workflow steps
+
diff --git a/project_best_practices_guides/code_review.md b/project_best_practices_guides/code_review.md
@@ -0,0 +1,227 @@
+---
+parent: Best Practices
+---
+
+Code Review Best Practices
+==========================
+
+<!-- 
+This was adapted from the OpenImageIO code review guide as a starting point.
+Obviously, some of it expresses preferences specific to that project and its
+leadership. But I think it provides enough good advice that it's a good
+starting point for an ASWF-wide best practices code review tips guide, and we
+can iterate from there to add good ideas from other projects, and to point out
+which sections may be highly subjective to each project.
+-->
+
+
+### Why do we code review?
+
+Code review is a process where someone other than the author of a patch
+examines the proposed changes and approves or critiques them. The main
+benefits are to:
+
+- Encourage submitters to ensure that their changes are well thought out,
+  tested, and documented so that their intent and wisdom will be clear to
+  others.
+- Directly find shortcomings in or suggest improvements to the proposed
+  changes, and ensure that the changes are consistent with the project's best
+  practices.
+- Minimize the amount of the code base that has only been seen or is only
+  understood by one person.
+- Improve security and robustness of the code base by assuring that at least
+  two people (submitter and reviewer) agree that every patch is reasonable and
+  safe.
+
+### Reviewer guidelines -- what you should be looking for
+
+Code review is not difficult, and it doesn't require you to be a senior
+developer or a domain expert. Even if you don't particularly understand that
+region of the code and are not a domain expert in the feature being changed,
+you can still provide a helpful second pair of eyes to look for obvious red
+flags and give an adequate review:
+
+- This may seem too obvious to say explicitly, but a big part of review is
+  just looking at the PR and seeing that it doesn't appear to deface,
+  purposely/obviously break, or introduce malware into the project.
+- Does the explanation of the PR make logical sense and appear to match (as
+  near as you can tell) the changes in the code? Does it seem sensible, even
+  if you don't understand all the details?
+- Does the PR pass all of our existing CI tests? (If it does, at least we
+  are reasonably sure it doesn't break commonly used features.)
+- Is there any evidence that the changes have been tested? Ideally, something
+  already in, or added to the testsuite by this PR, exercises the new or
+  altered code. (Though sometimes a patch addresses an edge case that's very
+  hard to reproduce in the testsuite, and you have to rely on the submitter's
+  word and the sensibility of their explanation.)
+- Not required, but nice if we can get it: You're an expert in the part of
+  the code being changed, and you agree that this is the best way to achieve
+  an improvement.
+- Any objections should be explained in detail and invite counter-arguments
+  from the author or other onlookers. A reviewer should never close a PR
+  unless it fails to conform to even the basic requirements of any submitted
+  PR, or if enough time has passed that it's clear that the PR has been
+  abandoned by its author. It's ok to ultimately say "no" to a PR that can't
+  be salvaged, but that should be the result of a dialogue.
+
+Obviously, you also want any review comments you give to be constructive and
+helpful. If you don't understand something, ask for clarification. If you
+think something is wrong, suggest a fix if you know how to fix it. If you
+think something is missing, suggest what you think should be added. Follow the
+expected kind and constructive tone of the project's community.
+
+### Submitter guidelines -- how to encourage good reviews and timely merges
+
+A few tips for submitters to help ensure that your PRs get reviewed and merged
+in a timely manner and are respectful of the reviewers' time and effort:
+
+- Aim for small PRs that do a specific thing in a clear way. It is better to
+  implement a large change with a series of PRs that each take a small,
+  obvious step forward, than to have one huge PR that makes changes so
+  extensive that nobody quite knows how to evaluate it.
+- Make sure your PR commit summary message clearly explains the why and how of
+  your changes. You want someone to read that and judge whether it's a
+  sensible approach, know what to look for in the code, and have their
+  examination of the code make them say "yes, I see, of course, great, just as
+  I expected!"
+- If you have extensive formatting changes or are moving existing code around,
+  it is strongly suggested that those changes be submitted as a separate PR
+  from anything that changes code logic. It is very hard to review code
+  changes when code movement or reformatting obscure exactly what has changed
+  and what has not.
+- Make sure your PR includes a test of the new or changed functionality (if
+  not covered by existing tests).
+- Make sure your PR fully passes the project's CI tests. Be kind to reviewers'
+  inboxes and attention by first pushing to your own fork and making all the
+  fixups needed to pass CI *before* submitting the PR that will fail CI and
+  leave reviewers unsure when it's complete enough to review. (You will need
+  to ensure that your own fork has CI enabled.)
+- Make sure your PR modifies the documentation as necessary if it adds new
+  features, changes any public APIs, or alters behavior of existing features.
+- If the project has multiple language bindings (e.g., a C++ library with a
+  Python binding as well), make sure that any API functionality you have added
+  is present (and tested) for all the language bindings so they don't get out
+  of sync.
+
+### Code review procedures -- in the ideal case
+
+In the best of circumstances, the code review process should be as follows for
+**EVERY** pull request:
+
+> [!NOTE] 
+> The following advice is generic, and we expect some projects to have
+> different specific requirements for the number and identity of reviewers,
+> how long a PR must be open to review, etc.
+
+- At least one reviewer critiques and eventually (possibly after changes are
+  made) approves the pull request. Reviewers, by definition, are not the same
+  person as the author.
+- Reviewers should indicate their approval by clicking the "Approve" button in
+  GitHub, or by adding a comment that says "LGTM" (looks good to me).
+- If possible, reviewers should have some familiarity with the code being
+  changed (though for a large code base, this is not always possible).
+- At least a few work days should elapse between posting the PR and merging
+  it, even if an approving review is received immediately. This is to allow
+  additional reviewers or dissenting voices to get a chance to weigh in.
+- If the reviewer has suggestions for improvement, it's the original author
+  who should make the changes and push them to the PR, or at the very least,
+  the author should okay any changes made by the reviewer before a merge
+  occurs (if at all practical).
+- It is permissible to request the "Copilot Review" from GitHub, but keep in
+  mind that (a) it should augment, and not be treated as being a substitute
+  for human developer reviews; (b) if any of its suggestions are incorporated
+  into the PR, the human PR author takes full responsibility for its
+  correctness and provenance, just as if they had written that code from
+  scratch themselves.
+
+Not all patches need the highest level of scrutiny. At the discretion of the
+project leader, reviews can be cursory and quick, and merges performed without
+additional delay, in some common low-risk circumstances:
+
+- The patch fixes broken CI, taking the project from a verifiably broken state
+  to passing all of the CI builds and tests.
+- The changes are only to documentation, comments, or other non-code files,
+  and so cannot break the build or introduce new bugs.
+- The code changes are trivial and are obviously correct. (This is a judgment
+  call, but if the author or reviewer or both are among the project's senior
+  developers, they don't need to performatively pretend that they aren't sure
+  it's a good patch.)
+- The changes are to sufficiently *localized* and *low risk* code, that even
+  if wrong, would only have the potential to break individual non-critical
+  features or rarely-used code paths. (Remember, this still assumes that CI
+  fully passes and test coverage includes the feature being altered by the
+  PR.)
+
+Conversely, some patches are so important or risky that if possible, they
+should be reviewed by multiple people, preferably from different stakeholder
+institutions than the author, and ensure that the approval is made with a
+detailed understanding of the issues. In these cases, it may also be worth
+bringing up the issue up at a TSC meeting to ensure the attention of many
+stakeholders. These include:
+
+- *New directions*: Addition of major new features, new strategic initiatives,
+  or changes to APIs that introduce new idioms or usage patterns should give
+  ample time for all stakeholders to provide feedback. In such cases, it may
+  be worth having the PR open for comments for weeks, not just days.
+- *Risky changes*: Changes to core classes or code that could subtly break
+  many things if not done right, or introduce performance regressions to
+  critical cases.
+- *Compatibility breaks*: changes that propose to break backward API
+  compatibility with existing code or data files, or that change the required
+  toolchain or dependencies needed to build the project.
+- *Security*: Changes that could introduce security vulnerabilities, or that
+  fix tricky security issues where the best fix is not obvious.
+
+### Code review compromises -- because things are rarely ideal
+
+We would love to have many senior reviewers constantly watching for PRs, doing
+thorough reviews immediately, and following the above guidelines without
+exception. Wouldn't that be great! But in reality, we have to compromise,
+hurry, or cut corners, or nothing would ever get done. Some of these
+compromises are understandable and acceptable if they aren't happening too
+often.
+
+- Lack of reviews: If no reviews are forthcoming after a few days, a "are
+  there any objections?" comment may be added to the PR, and if no objections
+  are raised within another few days, the PR may be merged by the author if
+  they are a senior developer on the project. This is a fact of life, but
+  should be minimized (with a rigor proportional to where the patch falls on
+  the "low risk / high risk" scale described above). If this is done, you
+  should leave an additional comment explaining why it was merged without
+  review and inviting people to submit post-merge comments if they
+  subsequently spot something that can be improved.
+- Time-critical patches: urgent security fixes, broken CI or builds, critical
+  bugs affecting major stakeholders who are waiting for a repaired release,
+  fixes that are blocking other work or preventing other PRs from advancing.
+  In such cases, it is understandable for senior developers to try to speed up
+  the process of getting the changes integrated (though the very nature of
+  their criticality also indicates that it's worth getting a thorough review
+  if at all possible).
+- Failing tests: Sometimes a PR must be merged despite failing CI tests.
+  Usually this is for one of two reasons: (1) spurious CI failures are known
+  to be occurring at that time and are unrelated to the PR; (2) the PR is part
+  of a series of patches that are only expected to fully pass CI when the last
+  piece is completed.
+
+These changes are understandable, but we still are striving to reduce their
+frequency. It is the responsibility of the senior developers, TSC members, and
+major stakeholders to be monitoring the incoming PRs and helping with reviews
+as much as possible, to ensure that review exceptions are rare.
+
+### Code review pathologies -- things to avoid
+
+These are anti-patterns that generally are indications of an unhealthy open
+source project:
+
+* An author merging their own PR without any review comments that indicate
+  meaningful scrutiny or approval from another party, and without giving
+  adequate warning that a merge will occur if no reviews are received.
+* PRs languishing for weeks or months without any review or merge.
+* PRs that don't adequately test their changes (basically crossing your
+  fingers and hoping it works).
+* PRs that are merged despite failing CI that might be related or, if
+  unrelated, that might be masking problems with the PR being evaluated.
+
+Again, sometimes these things happen out of necessity to keep the project
+moving forward under constrained development resources. But we strive as much
+as possible to ensure that they are rare exceptions.
diff --git a/project_best_practices_guides/releasing.md b/project_best_practices_guides/releasing.md
@@ -0,0 +1,19 @@
+---
+parent: Best Practices
+---
+
+Releasing Best Practices
+========================
+
+This document is a placeholder. Some topics we will want to remember to cover:
+- Versioning
+- Release cadence
+- Release procedures (various checklists)
+- Best ideas for betas, release candidates, final releases
+- Packaging
+- PyPI
+- Binary distribution
+- Release announcements (including automated to slack)
+- Signed releases
+- Immutable releases
+
diff --git a/project_best_practices_guides/security.md b/project_best_practices_guides/security.md
@@ -0,0 +1,15 @@
+---
+parent: Best Practices
+---
+
+Security Best Practices
+=======================
+
+This document is a placeholder. Some topics we will want to remember to cover:
+- Signed releases
+- Specify GHA actions and dependency checkouts by SHA commit, not version
+- See testing best practices for: static analysis, dynamic analysis, fuzzing
+- Setting up a security policy
+- How to respond to security reports
+- CVEs
+- Security audits and how to interact with those teams
diff --git a/project_best_practices_guides/testing.md b/project_best_practices_guides/testing.md
@@ -0,0 +1,15 @@
+---
+parent: Best Practices
+---
+
+Testing Best Practices
+======================
+
+This document is a placeholder. Some topics we will want to remember to cover:
+- Testing tips
+- Constructing test suites
+- Unit tests, integration tests, etc.
+- Ways to test: pass/fail, compare against reference output (text, image, etc.)
+- Tips for testing things that produce images
+- Tips for testing things with UIs
+- Static analysis, dynamic analysis, sanitizers, fuzzing
