**Core Pull Request Reviewers** is a team for contributors who are willing to regularly review Jenkins pull requests and eventually become Jenkins core maintainers.
They get https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization[Triage permissions] so that they can manage pull requests, request reviews and prepare changelog drafts in the pull request description.
Led by the link:https://www.jenkins.io/project/team-leads/#release[Jenkins Release Officer], they initiate releases and backport changes into the link:https://www.jenkins.io/download/lts/[Stable release line].
Team members get `Write` permissions in the Jenkins core repository, and they also get permissions to trigger release Pipelines. LTS release steps are documented in link:https://github.com/jenkins-infra/release/blob/master/.github/ISSUE_TEMPLATE/1-lts-release-checklist.md[jenkins-infra/release]
* **Core Pull Request Reviewers** can be nominated by contributors in the link:https://groups.google.com/d/forum/jenkinsci-dev[developer mailing list].
The Decision is made by a consensus in the mailing list or via voting at the link:https://www.jenkins.io/project/governance-meeting/[governance meeting].
All nominees must also sign an link:https://github.com/jenkinsci/infra-cla/[Individual Contributor License Agreement] before getting permission in GitHub repositories.
It's not just about the code, but also whether the change makes sense in a global/holistic way, considering existing popular plugins and the way users experience Jenkins overall.
When the motivation of the pull request is unclear, incomplete, or not entirely cogent, the pull request needs to be labeled with `needs-justification`.
It includes both feature compatibility and binary/API compatibility which is important for the plugin ecosystem.
Although we have some tools (like https://github.com/jenkins-infra/usage-in-plugins[usage-in-plugins]) for checking API usages across open-source plugins,
there is no way to confirm external usages in 3rd-party proprietary plugins which are also a part of the ecosystem.
==== Maintaining Code quality
The code doesn't have to be perfect, but we want to ensure that all new code matches basic quality standards:
test coverage for newly added functionality and fixes,
documentation for newly introduced APIs,
the submitted code is readable and matches the code style in the surrounding codebase,
etc.
==== Code style
We're aware that there are existing inconsistencies in the code,
and we do not enforce a single code style across the codebase at the moment.
* New code should follow the (majority) style guide.
In Jenkins core, we use link:https://www.oracle.com/java/technologies/javase/codeconventions-contents.html[these Code Conventions for the Java TM Programming Language] as a default code style
* Updates to existing code should only fix formatting on the lines affected anyway to keep the diff minimal.
It helps reviewers focus their attention on the specifics of the change and reduces the risk of a change from one pull request creating a conflict in another pull request.
When a new user-facing change is added, we should encourage contributors to update the documentation in downstream pull requests.
* The Same applies to Jenkins changelogs (link:https://www.jenkins.io/changelog[weekly], link:https://www.jenkins.io/changelog-stable/[stable]) and link:https://www.jenkins.io/doc/upgrade-guide/[upgrade guidelines]:
We have a semi-automated process that is based on pull request summaries and labels.
An obvious goal of the project is to deliver value to end users
(without incurring an undue maintenance burden),
without which end users would cease use of the delivered software.
A pull request represents potential value for end users,
value which is only realized when the pull request is merged and delivered in a shipping release.
The same goes for maintenance pull requests that do not deliver immediate value to users
but improve the project's health and sustainability, for example,
developer documentation updates, code quality improvements, project and test automation, etc.
These pull requests also need to be merged,
and it is in our best interests to do so rather sooner than later.
[cols="1,1"]
|===
|Optimal Outcome|Suboptimal Outcome
|When a pull request is merged and delivered in a shipping release, users are rewarded with this value.
|Inversely, when a pull request remains unmerged and unreleased for an extended period of time, users are deprived of this value.
|===
Another explicit goal of the project is to encourage both new and seasoned contributors alike.
[cols="1,1"]
|===
|Optimal Outcome|Suboptimal Outcome
|When a submission that is ready for merge is approved, merged, and released in a timely fashion, the contributor is more likely to contribute again.
|Inversely, when a submission that is ready for merge languishes without timely approval, merge, and release, the contributor is less likely to contribute again.
|When the contributor of a submission that is not _yet_ ready for merge is provided with clear, actionable, and justified feedback and when, after the action has been taken, the submission is subsequently reviewed again, approved, merged, and released in a timely fashion, the contributor is more likely to contribute again.
|Inversely, when the contributor of a submission that is not _yet_ ready for merge is provided feedback without reasoning or asked questions that do not ultimately lead to a clear action item, the contributor is less likely to improve the quality of the submission.
|When contributors and reviewers successfully negotiate scope, the contributor is more likely to complete the submission.
|Inversely, when contributors and reviewers fail to negotiate a middle ground regarding scope, the contributor is less likely to complete the submission.
|When an impractical submission is reviewed and explicitly rejected with reasoning in a timely fashion, the contributor is more likely to improve the quality of future submissions.
|Inversely, when an impractical submission is ignored without an explicit rejection or rejected explicitly without reasoning, the contributor is less likely to improve the quality of future submissions.
|===
For these reasons, core maintainers are expected not only to review pull requests but also to bring them to closure in a timely fashion,
either by merging ready pull requests towards weekly releases
or by closing pull requests that are not ready for merge after an extended period of time.
As part of the process of bringing pull requests to closure,
core maintainers are expected to steer discussions towards the identification of clear action items with reasoning
and to explicitly reject with reasoning pull requests for which there are no clear and justified action items or for which such action items remain incomplete after an extended period of time.
==== Indicating intent to merge or close
Core maintainers communicate their intention to bring a pull request to closure by adding themselves to the pull request in the **Assignees** field,
through which they make a commitment to work with the contributor to either merge the pull request or to explicitly reject it.
To avoid ambiguity, at most one (1) core maintainer should be assigned to a pull request.
Only core maintainers should be assigned to pull requests,
since a non-maintainer would be unable to fulfill the commitment by merging the pull request or explicitly rejecting it.
To avoid making commitments on behalf of others that cannot be fulfilled,
core maintainers should only assign pull requests to themselves and not to other core maintainers.
An exception to the above would be if, following the adoption of this system, a pull request is brought to closure but remains unassigned.
In that case, any core maintainer can retroactively assign the pull request to the core maintainer who merged or closed it for tracking purposes.
In light of the responsibility to merge or close pull requests implied by membership on the core team,
all core maintainers are strongly encouraged to regularly merge or close pull requests.
==== Providing actionable and justified feedback
Once assigned to a pull request, a core maintainer should make every reasonable effort to drive the pull request to closure in a timely fashion.
If further action is needed before the pull request can be accepted, this action should be explicitly requested along with the reasoning behind it.
Contributors are far more likely to successfully complete action items when the reasoning behind the request is explicit and cogent.
It is perfectly reasonable for the assignee or any other reviewer to ask questions,
but the ultimate goal of these questions should be to arrive at clear and justified action item(s);
otherwise, the process can languish for an extended period of time.
It is the responsibility of the assignee to steer the discussion towards concrete and justified action item(s).
==== Providing confirmation that feedback has been addressed
Once any requested actions have been taken, the assignee should make every reasonable effort to provide explicit confirmation that each action item has been completed.
This gives contributors positive reinforcement and confidence that their submission is moving forward through the process,
ultimately making them more likely to complete the process and contribute again.
Assignees who cannot provide such confirmation in a timely fashion are strongly encouraged to remove their assignment from the pull request in order to allow another core maintainer to pick it up.
If the assignee cannot respond in a timely fashion, the author or another core maintainer may ask the current assignee about their intentions;
in the absence of a timely response, another core maintainer may remove the assignment.
==== Negotiating scope
Not every pull request reaches a state of perfection at the end of the review process.
Sometimes, requests are made that, while justified, represent an additional amount of work that the contributor may not be willing to do.
In some cases it is critical to complete the additional work, but in others "you aren't gonna need it" (YAGNI).
In such cases, the assignee should make a good faith effort to negotiate with the contributor to find a reasonable middle ground that is "good enough."
Failure to negotiate successfully can often chase contributors away.
If the additional work is simple enough and the submission is not moving forward,
the assignee may consider occasionally giving the contributor a lift by completing the additional work,
though this is not expected in the general case
and would not be fair to the assignee if a large amount of additional work is necessary.
==== Voting process
A pull request can often serve as a catalyst for a discussion in which several possible paths forward are identified.
When there is no clear consensus among the core maintainers about the path forward,
the assignee should call for a vote.
While only core maintainers have formally binding votes, any interested parties are generally encouraged to vote, even if their votes are advisory.
To avoid ambiguity, it is preferred that votes be done using https://www.apache.org/foundation/voting.html#expressing-votes-1-0-1-and-fractions[Apache conventions].
Unlike in the Apache Software Foundation, a -1 vote is not a veto but rather a very strong objection.
A -1 vote by a core maintainer stops a pull request in its tracks
until and unless the core maintainer withdraws the -1 vote or is outvoted by other core maintainers.
To ensure that -1 votes are used prudently,
the core maintainer must provide with the -1 vote a technical justification showing why the change is bad
(e.g., opens a security exposure, negatively affects performance, etc.).
A -1 vote without a justification is invalid and has no weight.
==== Acceptance [[acceptance]]
Once a pull request has reached the point where it is ready for merge, it is time to begin the countdown period by applying the `ready-for-merge` label.
To avoid ambiguity, this label should only be applied by a core maintainer who actually intends to merge the pull request.
Non-maintainers, including members of the core PR reviewers team, should not start the countdown period,
as this sends a signal to the contributor that their submission will be merged soon when in fact there may not be a core maintainer who has committed to merging it.
To avoid making commitments on behalf of others that cannot be fulfilled,
the `ready-for-merge` label should be applied by the assignee and not by another core maintainer.
If the pull request does not have an assignee, applying the `ready-for-merge` label implies self-assignment,
and this self-assignment may retroactively be made explicit by another core maintainer for tracking purposes.
Please be mindful that people are more likely to contribute again when they are thanked for their contribution.
An example acceptance message is as follows:
> This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the https://github.com/jenkinsci/jenkins/blob/master/docs/MAINTAINERS.adoc#merge-process[merge process documentation] for more information about the merge process. Thanks!
==== Rejection
Not all pull requests reach the point where they are ready for merge.
In some cases, the pull request is close to being ready, but one or more justified action items remain incomplete.
In other cases, negotiations regarding scope have reached an impasse.
In other cases, the pull request is very far from being ready or is completely impractical, and no progress is being made.
When a pull request is not ready for merge after an extended period of time,
the assignee is responsible for completing the rejection process,
first by applying the `stalled` label, then by applying the `proposed-for-closed` label, and finally by closing the pull request with a rejection message.
This process should be undertaken with the utmost care and respect
in order to ensure that the contributor feels welcome to contribute again.
At minimum, the reasoning behind the rejection should be stated in objective and factual terms.
If the proposed change might be accepted again in the future once additional action item(s) have been completed,
these should be stated to allow for the original author or a different author to complete the proposed change.
Please be mindful that people are more likely to contribute again when they are thanked for their contribution.
An example rejection message is as follows:
> I am closing this PR due to <insert reasoning here>. On behalf of the core team, I would like to thank you for your contribution. Even though this PR did not make it across the finish line, it was a promising start! I continue to encourage you (or anyone else who is interested) to pick up this effort and drive it to completion. Thanks!
If you feel this is important, add the link:https://github.com/jenkinsci/jenkins/pulls?q=is%3Aopen+is%3Apr+label%3Asquash-merge-me[squash-merge-me] label
It is essential to ensure that the `component` field references the right component (the Jenkins core, a plugin, etc.)
so that an issue can be discovered and processed by a component maintainer.
When moving an issue, assign the issue to the `automatic` assignee so that the maintainer gets a notification.
Not all components have a default assignee, and it is perfectly fine to leave the assignee field empty.
* **Verify the issue type**.
`Bug` should be used for bug reports.
All other issue types are considered as requests for enhancements, and there is no practical difference for the Jenkins core.
* **Verify the issue metadata**: Jenkins version, environment, labels, etc.
Such metadata is useful for further triage and issue discoverability.
There are some labels used in Jenkins Jira dashboard and filters, e.g. `jcasc-compatibility`, `java11-compatibility`, `jep-200`, etc.
Assigning such labels helps users and maintainers to discover issues and act on them.
There is no list of such "common labels" recommended for use.
Some labels can be found in similar issues or documentation linked from system log entries in the reports.
* **Move security issue** to the `SECURITY` project.
Sometimes the issue reporters do not follow the link:https://www.jenkins.io/security/#reporting-vulnerabilities[vulnerability reporting] process and report security issues in public.
If you see such issues, move them to the `SECURITY` project so that the security team takes care of their triage.
Note that the required fields are different between projects, so some manual updates might be required when moving them.
* **Label regressions and CC stakeholders** if an issue is reported as a regression with a clear root cause,
In addition to the initial triage, it is a good practice to sometimes review previously reported issues so that we could minimize the backlog of issues and simplify search by users.
* link:https://www.jenkins.io/project/conduct/[Jenkins Code of Conduct] -
when it gets ugly.
=== Resolving vs. Closing issues
Jira workflow for the `JENKINS` project has two similar states: `Resolved` and `Closed`.
Historically the issues are rarely being **closed**, and all dashboard and Jenkins processes interpret resolved issues as closed.
The main difference is that the _Resolved_ issues can be reopened by users while _Closed_ ones can be reopened by admins only.
For triage purposes, it is recommended to use the `Resolved` state if there is a chance that the issue will be reopened by the reporter or other contributor
(e.g. resolving due to inactivity, disagreement with the resolution, etc.).
Merge process can be initiated once a pull request matches the requirements:
* Pull request is compliant with requirements to submitters (see the link:/.github/PULL_REQUEST_TEMPLATE.md[pull request template])
* There are at least 2 approvals for the pull request and no outstanding requests for change
* Conversations in the pull request are over OR it is explicit that a reviewer does not block the change (often indicated by line comments attached to an approving PR review, or by using the term "nit", from "nit-picking")
* Changelog entries in the PR title and/or _Proposed changelog entries_ are correct and reflect the current, final state of the PR
* Proper changelog labels are set so that the changelog can be generated automatically.
This is usually the case when a data migration occurs, a feature has been removed, a significant behavior change is introduced (including when there is a way to opt-out),
* If it would make sense to backport the change to LTS, a Jira issue must exist, be a _Bug_ or _Improvement_, and be labelled as `lts-candidate` to be considered (see link:https://issues.jenkins.io/issues/?filter=12146[this Jira query]).
link:https://www.jenkins.io/security/[Jenkins security updates] are coordinated with the LTS calendar.
If the weekly release before an LTS release introduces regressions, users of the weekly line may have to choose between security fixes and a working Jenkins.
The Jenkins security team will usually send a "pre-announcement" to link:https://groups.google.com/forum/#!forum/jenkinsci-advisories[the advisories list] on Wednesday or Thursday the week before release, but that's not always doable.
For these reasons, the following changes should not be merged during the week before LTS releases (weeks 3, 7, 11, 15, etc. on the page linked above):
* Changes that could be considered risky (relatively high risk of introducing regressions), as they could make users of Jenkins weekly releases choose between getting security fixes, and having a functioning Jenkins
* Very large changes (in terms of lines changed), because the Jenkins security team needs to prepare security fixes for the weekly release line in a very short period of time.
Sometimes we have pull requests which include dozens of commits including many non-substantial changes (merge commits, addressing review comments, etc.).
We do not require contributors to spend time on cleaning it up, because core maintainers can squash PRs during the merge.
Reviewers can add a link:https://github.com/jenkinsci/jenkins/pulls?q=is%3Aopen+is%3Apr+label%3Asquash-merge-me[squash-merge-me] label during reviews to highlight that it is needed.
link:https://www.jenkins.io/download/weekly/[Jenkins Weekly releases] are managed by the Jenkins Release Team which has access to the dedicated release environment within the Jenkins Infrastructure.
Jenkins also offers the link:https://www.jenkins.io/download/lts/[LTS Release Line].
It is maintained by the Jenkins Release Team which coordinates link:https://www.jenkins.io/download/lts/#backporting-process[backporting] and release candidate testing.
