ContextQMD
Back to Gitlabhq

Code Review Guidelines

doc/development/code_review.md

18.11.277.8 KB
Original Source

This guide contains advice and best practices for performing code review, and having your code reviewed.

All merge requests for GitLab CE and EE, whether written by a GitLab team member or a wider community member, must go through a code review process to ensure the code is effective, understandable, maintainable, and secure.

Getting your merge request reviewed, approved, and merged

Before you begin:

As soon as you have code to review, have the code reviewed by a reviewer. This reviewer can be from your group or team, or a domain expert. The reviewer can:

  • Give you a second opinion on the chosen solution and implementation.
  • Help look for bugs, logic problems, or uncovered edge cases.

If the merge request is small and straightforward to review, you can skip the reviewer step and directly ask a maintainer.

What constitutes "small and straightforward" is a gray area. Here are some examples of small and straightforward changes:

  • Fixing a typo or making small copy changes (example).
  • A tiny refactor that doesn't change any behavior or data.
  • Removing references to a feature flag that has been default enabled for > 1 month.
  • Removing unused methods or classes.
  • A well-understood logic change that requires changes to < 5 lines of code.

Otherwise, a merge request should be first reviewed by a reviewer in each category (for example: backend, database) the MR touches, as maintainers may not have the relevant domain knowledge. This also helps to spread the workload.

For assistance with security scans or comments, include the Application Security Team (@gitlab-com/gl-security/appsec).

The reviewers use the reviewer functionality in the sidebar. Reviewers can add their approval by approving additionally.

Depending on the areas your merge request touches, it must be approved by one or more maintainers. The Approved button is in the merge request widget.

Getting your merge request merged also requires a maintainer. If it requires more than one approval, the last maintainer to review and approve merges it.

Some domain areas (like Verify) require an approval from a domain expert, based on CODEOWNERS rules. Because CODEOWNERS sections are independent approval rules, we could have certain rules (for example Verify) that may be a subset of other more generic approval rules (for example backend). For a more efficient process, authors should look for domain-specific approvals before generic approvals. Domain-specific approvers may also be maintainers, and if so they should review the domain specifics and broader change at the same time and approve once for both roles.

Read more about author responsibilities below.

Domain experts

Domain experts are team members who have substantial experience with a specific technology, product feature, or area of the codebase. Team members are encouraged to self-identify as domain experts and add it to their team profiles.

When self-identifying as a domain expert, it is recommended to assign the MR changing the .yml file to be merged by an already established Domain Expert or a corresponding Engineering Manager.

We make the following assumption with regards to automatically being considered a domain expert:

  • Team members working in a specific stage/group (for example, create: source code) are considered domain experts for that area of the app they work on.
  • Team members working on a specific feature (for example, search) are considered domain experts for that feature.

We default to assigning reviews to team members with domain expertise for code reviews. UX reviews default to the recommended reviewer from the Review Roulette. Due to designer capacity limits, areas not supported by a Product Designer will no longer require a UX review unless it is a community contribution. When a suitable domain expert isn't available, you can choose any team member to review the MR, or follow the Reviewer roulette recommendation (see above for UX reviews). Double check if the person is OOO before assigning them.

To find a domain expert:

  • In the Merge Request approvals widget, select View eligible approvers. This widget shows recommended and required approvals per area of the codebase. These rules are defined in Code Owners.
  • View the list of team members who work in the stage or group related to the merge request.
  • View team members' domain expertise on the engineering projects page or on the GitLab team page. Domains are self-identified, so use your judgment to map the changes on your merge request to a domain.
  • Look for team members who have contributed to the files in the merge request. View the logs by running git log <file>.
  • Look for team members who have reviewed the files. You can find the relevant merge request by:
    1. Getting the commit SHA by using git log <file>.
    2. Navigating to https://gitlab.com/gitlab-org/gitlab/-/commit/<SHA>.
    3. Selecting the related merge request shown for the commit.

Reviewer roulette

[!note] Reviewer roulette is an internal tool for use on GitLab.com, and not available for use on customer installations.

The Danger bot randomly picks a reviewer and a maintainer for each area of the codebase that your merge request seems to touch. It makes recommendations for developer reviewers and you should override it if you think someone else is a better fit.

Approval Guidelines can help to pick domain experts.

We only do UX reviews for MRs from teams that include a Product Designer. User-facing changes from these teams are required to have a UX review, even if it's behind a feature flag. Default to the recommended UX reviewer suggested.

It picks reviewers and maintainers from the list at the engineering projects page, with these behaviors:

  • It doesn't pick people whose Slack or GitLab status:

    • Contains the string OOO, PTO, Parental Leave, Friends and Family, or Conference.
    • Emoji is from one of these categories:
      • On leave - 🌴 palm_tree, 🏖️ beach, ⛱ beach_umbrella, 🏖 beach_with_umbrella, 🌞 sun_with_face, 🎡 ferris_wheel, 🏙 cityscape
      • Out sick - 🌡️ thermometer, 🤒 face_with_thermometer
    • Important: The status emojis are not detected when present on the free text input status message. They have to be set on your GitLab status emoji by clicking on the emoji selector beside the text input.

  • It doesn't pick people who are already assigned a number of reviews that is equal to or greater than their chosen "review limit". The review limit is the maximum number of reviews people are ready to handle at a time. Set a review limit by using one of the following as a Slack or GitLab status:

    • 2️⃣ - two
    • 3️⃣ - three
    • 4️⃣ - four
    • 5️⃣ - five

    The minimum review limit is 2️⃣. The reason for not being able to completely turn oneself off for reviews has been discussed in this issue.

    Review requests for merge requests that do not target the default branch of any project under the security group are not counted. These MRs are usually backports, and maintainers or reviewers usually do not need much time reviewing them.

  • It always picks the same reviewers and maintainers for the same branch name (unless their out-of-office (OOO) status changes, as in point 1). It removes leading ce- and ee-, and trailing -ce and -ee, so that it can be stable for backport branches.

  • People whose Slack or GitLab status emoji is Ⓜ :m:are only suggested as reviewers on projects they are a maintainer of.

The Roulette dashboard contains:

  • Assignment events in the last 7 and 30 days.
  • Currently assigned merge requests per person.
  • Sorting by different criteria.
  • A manual reviewer roulette.
  • Local time information.

Approval guidelines

As described in the section on the responsibility of the maintainer below, you are recommended to get your merge request approved and merged by maintainers with domain expertise. The optional approval of the first reviewer is not covered here. However, your merge request should be reviewed by a reviewer before passing it to a maintainer as described in the overview section.

If your merge request includesIt must be approved by a
~backend changes <sup>1</sup>Backend maintainer.
~database migrations or changes to expensive queries <sup>2</sup>Database maintainer. Refer to the database review guidelines for more details.
~workhorse changesWorkhorse maintainer.
~frontend changes <sup>1</sup>Frontend maintainer.
~UX user-facing changes <sup>3</sup>Product Designer. Refer to the design and user interface guidelines for details.
Adding a new JavaScript library <sup>1</sup>- Frontend Design System member if the library significantly increases the bundle size.

More information about license compatibility can be found in our GitLab Licensing and Compatibility documentation. | | A new dependency or a file system change | - Distribution team member. See how to work with the Distribution team for more details.

  1. Specs other than JavaScript specs are considered ~backend code. Haml markup is considered ~frontend code. However, Ruby code in Haml templates is considered ~backend code. When in doubt, request both a frontend and backend review.

    For Haml template changes specifically:

    • Request backend review when changes include Ruby logic, method calls, variable assignments, conditionals, loops, data preparation, security checks, or any server-side processing in the template.
    • Request frontend review when changes affect DOM structure, CSS classes, HTML attributes, accessibility features, user interactions, and responsive design, or visual presentation.
    • Request both reviews for complex changes that involve both Ruby logic and significant UI modifications, or when backend and frontend are intertwined (such as when backend serves data that is consumed by Vue or JavaScript), to ensure both the backend functionality and frontend user experience are properly evaluated.
      • Example: A Haml template that calls Ruby methods to prepare data attributes for a Vue.js component (for example, project_id: @project&.to_global_id) would benefit from a backend review for Ruby logic correctness and frontend review for the component integration.

  2. We encourage you to seek guidance from a database maintainer if your merge request is potentially introducing expensive queries. It is most efficient to comment on the line of code in question with the SQL queries so they can give their advice.

  3. User-facing changes include both visual changes (regardless of how minor), and changes to the rendered DOM which impact how a screen reader may announce the content. Groups that do not have dedicated Product Designers do not require a Product Designer to approve feature changes, unless the changes are community contributions.

  4. End-to-end changes include all files in the qa directory.

CODEOWNERS approval

Some merge requests require mandatory approval by specific groups. See .gitlab/CODEOWNERS for definitions.

Mandatory sections in .gitlab/CODEOWNERS should only be limited to cases where it is necessary due to:

  • compliance
  • availability
  • security

When adding a mandatory section, you should track the impact on the new mandatory section on merge request rates. See the Verify issue for a good example.

All other cases should not use mandatory sections as we favor responsibility over rigidity.

Additionally, the current structure of the monolith means that merge requests are likely to touch seemingly unrelated parts. Multiple mandatory approvals means that such merge requests require the author to seek approvals, which is not efficient.

Efforts to improve this are in:

Acceptance checklist

<!-- When editing, remember to announce the change to Engineering Division -->

This checklist encourages the authors, reviewers, and maintainers of merge requests (MRs) to confirm changes were analyzed for high-impact risks to quality, performance, reliability, security, observability, and maintainability.

Using checklists improves quality in software engineering. This checklist is a straightforward tool to support and bolster the skills of contributors to the GitLab codebase.

Quality

For further quality guidelines, see testing.

  1. You have self-reviewed this MR per code review guidelines.
  2. The code follows the software design guidelines.
  3. Ensure automated tests exist following the testing pyramid. Add missing tests or create an issue documenting testing gaps.
  4. You have considered the technical impacts on GitLab.com, Dedicated and self-managed.
  5. You have considered the impact of this change on the frontend, backend, and database portions of the system where appropriate and applied the ~ux, ~frontend, ~backend, and ~database labels accordingly.
  6. You have tested this MR in all supported browsers, or determined that this testing is not needed.
  7. You have confirmed that this change is backwards compatible across updates, or you have decided that this does not apply.
  8. You have properly separated EE content (if any) from FOSS. Consider running the CI pipelines in a FOSS context.
  9. You have considered that existing data may be surprisingly varied. For example, if adding a new model validation, consider making it optional on existing data.
  10. You have fixed flaky tests related to this MR, or have explained why they can be ignored. Flaky tests have error Flaky test '<path/to/test>' was found in the list of files changed by this MR. but can be in jobs that pass with warnings.
Performance, reliability, and availability
  1. You are confident that this MR does not harm performance, or you have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
  2. You have added information for database reviewers in the MR description, or you have decided that it is unnecessary.
  3. You have considered the availability and reliability risks of this change.
  4. You have considered the scalability risk based on future predicted growth.
  5. You have considered the performance, reliability, and availability impacts of this change on large customers who may have significantly more data than the average customer.
  6. You have considered the performance, reliability, and availability impacts of this change on customers who may run GitLab on the minimum system.
Observability instrumentation
  1. You have included enough instrumentation to facilitate debugging and proactive performance improvements through observability. See example of adding feature flags, logging, and instrumentation.
Documentation
  1. You have included changelog trailers, or you have decided that they are not needed.
  2. You have added/updated documentation or decided that documentation changes are unnecessary for this MR.
Security
  1. You have confirmed that if this MR contains changes to processing or storing of credentials or tokens, authorization, and authentication methods, or other items described in the security review guidelines, you have added the ~security label and you have @-mentioned @gitlab-com/gl-security/appsec.
  2. You have reviewed the documentation regarding internal application security reviews for when and how to request a security review and requested a security review if this is warranted for this change.
  3. If there are security scan results that are blocking the MR (due to the merge request approval policies):
    • For true positive findings, they should be corrected before the merge request is merged. This will remove the AppSec approval required by the merge request approval policy.
    • For false positive findings, something that should be discussed for risk acceptance, or anything questionable, ping @gitlab-com/gl-security/appsec.
Deployment
  1. You have considered using a feature flag for this change because the change may be high risk.
  2. If you are using a feature flag, you plan to test the change in staging before you test it in production, and you have considered rolling it out to a subset of production customers before rolling it out to all customers.
  3. You have informed the Infrastructure department of a default setting or new setting change per definition of done, or decided that this is unnecessary.
Compliance
  1. You have confirmed that the correct MR type label has been applied.

The responsibility of the merge request author

The responsibility to find the best solution and implement it lies with the merge request author. The author or directly responsible individual (DRI) stays assigned to the merge request as the assignee throughout the code review lifecycle. If you are unable to set yourself as an assignee, ask a reviewer to do this for you.

Before requesting a review from a maintainer to approve and merge, they should be confident that:

  • It actually solves the problem it was meant to solve.
  • It does so in the most appropriate way.
  • It satisfies all requirements.
  • There are no remaining bugs, logical problems, uncovered edge cases, or known vulnerabilities.

The best way to do this, and to avoid unnecessary back-and-forth with reviewers, is to perform a self-review of your own merge request, following the Code Review guidelines. During this self-review, try to include comments in the MR on lines where decisions or trade-offs were made, or where a contextual explanation might aid the reviewer in more easily understanding the code.

To reach the required level of confidence in their solution, an author is expected to involve other people in the investigation and implementation processes as appropriate.

They are encouraged to reach out to domain experts to discuss different solutions or get an implementation reviewed, to product managers and UX designers to clear up confusion or verify that the end result matches what they had in mind, to database specialists to get input on the data model or specific queries, or to any other developer to get an in-depth review of the solution.

If you know you'll need many merge requests to deliver a feature (for example, you created a proof of concept and it is clear the feature will consist of 10+ merge requests), consider identifying reviewers and maintainers who possess the necessary understanding of the feature (you share the context with them). Then direct all merge requests to these reviewers. The best DRI for finding these reviewers is the EM or Staff Engineer. Having stable reviewer counterparts for multiple merge requests with the same context improves efficiency.

If your merge request touches more than one domain (for example, Dynamic Analysis and GraphQL), ask for reviews from an expert from each domain.

If an author is unsure if a merge request needs a domain expert's opinion, then that indicates it does. Without it, it's unlikely they have the required level of confidence in their solution.

Before the review, the author is requested to submit comments on the merge request diff alerting the reviewer to anything important as well as for anything that demands further explanation or attention. Examples of content that may warrant a comment could be:

  • The addition of a linting rule (RuboCop, JS etc).
  • The addition of a library (Ruby gem, JS lib etc).
  • Where not obvious, a link to the parent class or method.
  • Any benchmarking performed to complement the change.
  • Potentially insecure code.

If there are any projects, snippets, or other assets that are required for a reviewer to validate the solution, ensure they have access to those assets before requesting review.

When assigning reviewers, it can be helpful to:

  • Add a comment to the MR indicating which type of review you are looking for from that reviewer.
    • For example, if an MR changes a database query and updates backend code, the MR author first needs a ~backend review and a ~database review. While assigning the reviewers, the author adds a comment to the MR letting each reviewer know which domain they should review.
    • Many GitLab team members are domain experts in more than one area, so without this type of comment it is sometimes ambiguous what type of review they are being asked to provide.
    • Explicitness around MR review types is efficient for the MR author because they receive the type of review that they are looking for and it is efficient for the MR reviewers because they immediately know which type of review to provide.
    • Example 1
    • Example 2
  • Only add TODO comments (referenced above) directly to the source code if the reviewer requires you to do so. If TODO comments are added due to an actionable task, include a link to the relevant issue.
  • Add comments that explain why, not only what the code is doing.
  • Request maintainer reviews only when all tests have passed. If the tests are failing and you have to request a review, ensure you leave a comment with an explanation.
  • Mention maintainers through email or Slack (if the maintainer is reachable through Slack) only if you have an immediate request. If you can't add a reviewer for a merge request, @ mentioning a maintainer in a comment is acceptable and in all other cases adding a reviewer is sufficient.

This saves reviewers time and helps authors catch mistakes earlier.

The responsibility of the reviewer

Reviewers are responsible for reviewing the specifics of the chosen solution.

If you are unavailable to review an assigned merge request within the Review-response SLO:

  1. Inform the author that you're not available.
  2. Use the GitLab Review Workload Dashboard to select a new reviewer.
  3. Assign the new reviewer to the merge request.

This demonstrates a bias for action and ensures an efficient MR review progress.

Add a comment like the following:

plaintext
Hi <@mr-author>, I'm unavailable for review but I've [spun the roulette wheel](https://gitlab-org.gitlab.io/gitlab-roulette/) for this project and it has selected <@new-reviewer>.

@new-reviewer may you please review this MR when you have time? If you're unavailable, please [spin the roulette wheel](https://gitlab-org.gitlab.io/gitlab-roulette/) again and select and assign a new reviewer, thank-you.

/assign_reviewer <@new-reviewer>
/unassign_reviewer me

Review the merge request thoroughly.

Verify that the merge request meets all contribution acceptance criteria.

Some merge requests may require domain experts to help with the specifics. Reviewers, if they are not a domain expert in the area, can do any of the following:

  • Review the merge request and loop in a domain expert for another review. This expert can either be another reviewer or a maintainer.
  • Pass the review to another reviewer they deem more suitable.
  • If no domain experts are available, review on a best-effort basis.

You should guide the author towards splitting the merge request into smaller merge requests if it is:

  • Too large.
  • Fixes more than one issue.
  • Implements more than one feature.
  • Has a high complexity resulting in additional risk.

The author may choose to request that the current maintainers and reviewers review the split MRs or request a new group of maintainers and reviewers.

If the author has added local verification steps, indicate if you did these so the maintainer knows whether they were done, and what the result was.

When you are confident that it meets all requirements, you should:

  • Select Approve.
  • @ mention the author to generate a to-do notification, and advise them that their merge request has been reviewed and approved.
  • Request a review from a maintainer. Default to requests for a maintainer with domain expertise, however, if one isn't available or you think the merge request doesn't need a review by a domain expert, feel free to follow the Reviewer roulette suggestion.

The responsibility of the maintainer

Maintainers are responsible for the overall health, quality, and consistency of the GitLab codebase, across domains and product areas.

Consequently, their reviews focus primarily on things like overall architecture, code organization, separation of concerns, tests, DRYness, consistency, and readability.

Because a maintainer's job only depends on their knowledge of the overall GitLab codebase, and not that of any specific domain, they can review, approve, and merge MRs from any team and in any product area.

Maintainers are the DRI of assuring that the acceptance criteria of a merge request are reasonably met. In general, quality is everyone's responsibility, but maintainers of an MR are held responsible for ensuring that an MR meets those general quality standards.

This includes avoiding the creation of technical debt in follow-up issues.

If a maintainer feels that an MR is substantial enough, or requires a domain expert, maintainers have the discretion to request a review from another reviewer, or maintainer. Here are some examples of maintainers proactively doing this during review:

Maintainers do their best to also review the specifics of the chosen solution before merging, but as they are not necessarily domain experts, they may be poorly placed to do so without an unreasonable investment of time. In those cases, they defer to the judgment of the author and earlier reviewers, in favor of focusing on their primary responsibilities.

If a developer who happens to also be a maintainer was involved in a merge request as a reviewer, it is recommended that they are not also picked as the maintainer to ultimately approve and merge it.

Maintainers should check before merging if the merge request is approved by the required approvers. If still awaiting further approvals from others, @ mention the author and explain why in a comment.

Certain merge requests may target a stable branch. For an overview of how to handle these requests, see the patch release runbook.

After merging, a maintainer should stay as the reviewer listed on the merge request.

Dogfooding the Reviewers feature

Our code review process dogfoods the Merge request reviews feature. Here is a summary, which is also reflected in other sections.

  • Merge request authors and DRIs stay as Assignees.
  • Merge request reviewers stay as Reviewers even after they have reviewed.
  • Authors request a review by assigning users as Reviewers.
  • Authors re-request a review when they have made changes and wish a reviewer to re-review.
  • Reviewers use the reviews feature to submit feedback. You can select Start review or Start a review rather than Add comment now in any comment context on the MR.

Best practices

Everyone

  • Be kind.
  • Accept that many programming decisions are opinions. Discuss tradeoffs, which you prefer, and reach a resolution quickly.
  • Ask questions; don't make demands. ("What do you think about naming this :user_id?")
  • Ask for clarification. ("I didn't understand. Can you clarify?")
  • Avoid selective ownership of code. ("mine", "not mine", "yours")
  • Avoid using terms that could be seen as referring to personal traits. ("dumb", "stupid"). Assume everyone is intelligent and well-meaning.
  • Be explicit. Remember people don't always understand your intentions online.
  • Be humble. ("I'm not sure - let's look it up.")
  • Don't use hyperbole. ("always", "never", "endlessly", "nothing")
  • Be careful about the use of sarcasm. Everything we do is public; what seems like good-natured ribbing to you and a long-time colleague might come off as mean and unwelcoming to a person new to the project.
  • Consider one-on-one chats or video calls if there are too many "I didn't understand" or "Alternative solution:" comments. Post a follow-up comment summarizing one-on-one discussion.
  • If you ask a question to a specific person, always start the comment by mentioning them; this ensures they see it if their notification level is set to "mentioned" and other people understand they don't have to respond.

Recommendations for MR authors to get their changes merged faster

  1. Make sure to follow best practices.
    • Write efficient instructions, add screenshots, steps to validate, etc.
    • Read and address any comments added by dangerbot.
    • Follow the acceptance checklist.
  2. Follow GitLab patterns, even if you think there's a better way.
    • Discussions often delay merging code. If a discussion is getting too long, consider following the documented approach or the maintainer's suggestion, then open a separate MR to implement your approach as part of our best practices and have the discussions there.
  3. Consider splitting big MRs into smaller ones. Around 200 lines is a good goal.
    • Smaller MRs reduce cognitive load for authors and reviewers.
    • Reviewers tend to pick up smaller MRs to review first (a large number of files can be scary).
    • Discussions on one particular part of the code will not block other parts of the code from being merged.
    • Smaller MRs are often simpler, and you can consider skipping the first review and sending directly to the maintainer, or skipping one of the suggested competency areas (frontend or backend, for example).
    • Mocks can be a good approach, even though they add another MR later; replacing a mock with a server request is usually a quick MR to review.
      • Be sure that any UI with mocked data is behind a feature flag.
    • Pull common dependencies into the first MRs to avoid excessive rebases.
      • For sequential MRs use stacked diffs.
      • For dependent MRs (for example, A -> B -> C), have their branches target each other instead of master. For example, have C target B, B target A, and A target master. This way each MR will have only their corresponding diff.
    • Split merge request into smaller MRs in a way that only one maintainer is required per MR, for example, by shipping database changes before you implement the feature.
    • ⚠️ Split MRs with caution: MRs that are too small increase the number of total reviews, which can cause the opposite effect.
  4. Minimize the number of reviewers in a single MR.
    • Example: A DB reviewer can also review backend and or tests. A FullStack engineer can do both frontend and backend reviews.
    • Using mocks can make the first MRs be frontend only, and later we can request backend review for the server request (see "splitting MRs" above).
  5. Know your maintainers.
    • Knowing your maintainers will make code review a better experience for you and your maintainers. If you have a small group of maintainers who are usually reviewing your work, over time you will develop intuition for what the maintainer is going to be unhappy about, and how the merge request has to be structured to make the review faster.
  6. Assign a maintainer who is a domain expert.
    • Assigning a maintainer who is a domain expert can significantly reduce the time-to-merge. Maintainers usually prioritize reviewing merge requests changing areas in the codebase they are familiar with. Even a small merge request can wait very long for a review if a maintainer sees it, but concludes that the time investment to understand the code will be significant. In that case, maintainers tend to prioritize reviewing merge requests which are easier for them to understand, because this way they will be more efficient reviewers.
  7. Structure and write your MRs in a way that they are easy to review.
    • Once you know your maintainers and usually assign maintainers who are domain experts, over time you will also develop intuition for how to make your merge request easier to review. What it means that "a merge request is easy to review" depends on who is going to review the merge request, and whether they are domain experts. There are a few universal ways of making a merge request easier to review which are outlined above (like splitting an MR into smaller chunks), but once you become a domain expert, you know your maintainer, and the maintainer is a domain expert as well, you will be able to optimize for making your MRs a pleasure to review, and this will significantly reduce time-to-merge.

Having your merge request reviewed

Keep in mind that code review is a process that can take multiple iterations, and reviewers may spot things later that they may not have seen the first time.

  • The first reviewer of your code is you. Before you perform that first push of your shiny new branch, read through the entire diff. Does it make sense? Did you include something unrelated to the overall purpose of the changes? Did you forget to remove any debugging code?
  • Write a detailed description as outlined in the merge request guidelines. Some reviewers may not be familiar with the product feature or area of the codebase. Thorough descriptions help all reviewers understand your request and test effectively.
  • If you know your change depends on another being merged first, note it in the description and set a merge request dependency.
  • Be grateful for the reviewer's suggestions. ("Good call. I'll make that change.")
  • Don't take it personally. The review is of the code, not of you.
  • Explain why the code exists. ("It's like that because of these reasons. Would it be more clear if I rename this class/file/method/variable?")
  • Extract unrelated changes and refactorings into future merge requests/issues.
  • Seek to understand the reviewer's perspective.
  • Try to respond to every comment.
  • The merge request author resolves only the threads they have fully addressed. If there's an open reply, an open thread, a suggestion, a question, or anything else, the thread should be left to be resolved by the reviewer.
  • It should not be assumed that all feedback requires their recommended changes to be incorporated into the MR before it is merged. It is a judgment call by the MR author and the reviewer as to if this is required, or if a follow-up issue should be created to address the feedback in the future after the MR in question is merged.
  • Push commits based on earlier rounds of feedback as isolated commits to the branch. Do not squash until the branch is ready to merge. Reviewers should be able to read individual updates based on their earlier feedback.
  • Request a new review from the reviewer once you are ready for another round of review. If you do not have the ability to request a review, @ mention the reviewer instead.

Responding to GitLab Duo review comments

When GitLab Duo provides automated code review comments on your merge request, address all comments before requesting a review from human reviewers.

Your response can take any form, as long as it clearly indicates that you have considered the comment:

  • If you made changes based on the suggestion, explain what you changed.
  • If the issue is already addressed in another way, mention how it was resolved.
  • If the comment is not relevant or incorrect, explain why you are not acting on it. A "thumbs down" can be adequate if the comment is clearly irrelevant, but an explanation is preferable if there might be any confusion.

Leave GitLab Duo discussion threads unresolved so that reviewers and maintainers can easily see your responses and verify that all automated feedback has been appropriately addressed.

Requesting a review

When you are ready to have your merge request reviewed, you should request an initial review by selecting a reviewer based on the approval guidelines.

When a merge request has multiple areas for review, it is recommended you specify which area a reviewer should be reviewing, and at which stage (first or second). This will help team members who qualify as a reviewer for multiple areas to know which area they're being requested to review. For example, when a merge request has both backend and frontend concerns, you can mention the reviewer in this manner: @john_doe can you please review ~backend? or @jane_doe - could you please give this MR a ~frontend maintainer review?

You can also use workflow::ready for review label. That means that your merge request is ready to be reviewed and any reviewer can pick it. It is recommended to use that label only if there isn't time pressure and make sure the merge request is assigned to a reviewer.

When re-requesting a review, click the Re-request a review icon ({{< icon name="redo" >}}) next to the reviewer's name, or use the /request_review @user quick action. This ensures the merge request appears in the reviewer's Reviews requested section of their merge request homepage.

When your merge request receives an approval from the first reviewer it can be passed to a maintainer. You should default to choosing a maintainer with domain expertise, and otherwise follow the Reviewer Roulette recommendation or use the label ready for merge.

Sometimes, a maintainer may not be available for review. They could be out of the office or at capacity. You can and should check the maintainer's availability in their profile. If the maintainer recommended by the roulette is not available, choose someone else from that list.

It is the responsibility of the author for the merge request to be reviewed. If it stays in the ready for review state too long it is recommended to request a review from a specific reviewer.

Volunteering to review

GitLab engineers who have capacity can regularly check the list of merge requests to review and add themselves as a reviewer for any merge request they want to review.

Reviewing a merge request

Understand why the change is necessary (fixes a bug, improves the user experience, refactors the existing code). Then:

  • Try to be thorough in your reviews to reduce the number of iterations.

  • Communicate which ideas you feel strongly about and those you don't.

  • Identify ways to simplify the code while still solving the problem.

  • Offer alternative implementations, but assume the author already considered them. ("What do you think about using a custom validator here?")

  • Seek to understand the author's perspective.

  • Check out the branch, and test the changes locally. You can decide how much manual testing you want to perform.

    • If the merge request requires significant GDK modifications (such as adding new services, modifying environment variables, or complex configuration changes), consider these approaches:
      • Skip local testing and perform a thorough code review instead, then request a domain expert from the author's team to do local verification.
      • Request additional verification such as screenshots, videos, or detailed testing steps from the author.
      • Identify the minimal change needed to trigger the code path (for example, setting a condition to true in the code) rather than full environment setup.

    Your testing might result in opportunities to add automated tests.

  • If you don't understand a piece of code, say so. There's a good chance someone else would be confused by it as well.

  • Ensure the author is clear on what is required from them to address/resolve the suggestion.

    • Consider using the Conventional Comment format to convey your intent.
    • For non-mandatory suggestions, decorate with (non-blocking) so the author knows they can optionally resolve within the merge request or follow-up at a later stage. When the only suggestions are non-blocking, move the MR onto the next stage to reduce async cycles. When you are a first round reviewer, pass to a maintainer to review. When you are the final approving maintainer, generate follow-ups from the non-blocking suggestions and merge or set auto-merge. The author then has the option to either cancel the auto-merge by implementing the non-blocking suggestions, they provide a follow-up MR after the MR got merged, or decide to not implement the suggestions.
    • There's a Chrome/Firefox add-on which you can use to apply Conventional Comment prefixes.

  • Ensure there are no open dependencies. Check linked issues for blockers. Clarify with the authors if necessary. If blocked by one or more open MRs, set an MR dependency.

  • After a round of line notes, it can be helpful to post a summary note such as "Looks good to me", or "Just a couple things to address."

  • Let the author know if changes are required following your review.

[!warning] If the merge request is from a fork, also check the additional guidelines for community contributions.

Merging a merge request

Before taking the decision to merge:

  • Set the milestone.
  • Confirm that the correct MR type label is applied.
  • Consider warnings and errors from danger bot, code quality, and other reports. Unless a strong case can be made for the violation, these should be resolved before merging. A comment must be posted if the MR is merged with any failed job.
  • If the MR contains both Quality and non-Quality-related changes, the MR should be merged by the relevant maintainer for user-facing changes (backend, frontend, or database) after the Quality related changes are approved by a Software Engineer in Test.

At least one maintainer must approve an MR before it can be merged. MR authors and people who add commits to an MR are not authorized to approve the MR and must seek a maintainer who has not contributed to the MR to approve it. In general, the final required approver should merge the MR.

Scenarios in which the final approver might not merge an MR:

  • Approver forgets to set auto-merge after approving.
  • Approver doesn't realize that they are the final approver.
  • Approver sets auto-merge but it is un-set by GitLab.

If any of these scenarios occurs, an MR author may merge their own MR if it has all required approvals and they have merge rights to the repository. This is also in line with the GitLab bias for action value.

This policy is in place to satisfy the CHG-04 control of the GitLab Change Management Controls.

To implement this policy in gitlab-org/gitlab, we have enabled the following settings to ensure MRs get an approval from a top-level CODEOWNERS maintainer:

To update the code owners in the CODEOWNERS file for gitlab-org/gitlab, follow the process explained in the code owners approvals handbook section.

Some actions, such as rebasing locally or applying suggestions, are considered the same as adding a commit and could reset existing approvals. Approvals are not removed when rebasing from the UI or with the /rebase quick action.

When ready to merge:

[!warning] If the merge request is from a fork, also check the additional guidelines for community contributions.

  • Consider using the Squash and merge feature when the merge request has a lot of commits. When merging code, a maintainer should only use the squash feature if the author has already set this option, or if the merge request clearly contains a messy commit history, it will be more efficient to squash commits instead of circling back with the author about that. Otherwise, if the MR only has a few commits, we'll be respecting the author's setting by not squashing them.
  • Go to the merge request's Pipelines tab, and select Run pipeline. Then, on the Overview tab, enable Auto-merge. Consider the following information:
    • If the default branch is broken, do not merge the merge request except for very specific cases. For other cases, follow these handbook instructions.
    • If the latest pipeline was created before the merge request was approved, start a new pipeline to ensure that full RSpec suite has been run. You may skip this step only if the merge request does not contain any backend change.
    • If the latest merged results pipeline was created less than 16 hours ago (72 hours for stable branches), you may merge without starting a new pipeline as the merge request is close enough to the target branch.
  • When you set the MR to auto-merge, you should take over subsequent revisions for anything that would be spotted after that.
  • For merge requests that have had Squash and merge set, the squashed commit's default commit message is taken from the merge request title. You're encouraged to select a commit with a more informative commit message before merging.

Thanks to merged results pipelines, authors no longer have to rebase their branch as frequently anymore (only when there are conflicts) because the Merge Results Pipeline already incorporate the latest changes from main. This results in faster review/merge cycles because maintainers don't have to ask for a final rebase: instead, they only have to start a MR pipeline and set auto-merge. This step brings us very close to the actual Merge Trains feature by testing the Merge Results against the latest main at the time of the pipeline creation.

Community contributions

[!warning] Review all changes thoroughly for malicious code before starting a merged results pipeline.

When reviewing merge requests added by wider community contributors:

  • Pay particular attention to new dependencies and dependency updates, such as Ruby gems and Node packages. While changes to files like Gemfile.lock or yarn.lock might appear trivial, they could lead to the fetching of malicious packages.
  • Review links and images, especially in documentation MRs.
  • When in doubt, ask someone from @gitlab-com/gl-security/appsec to review the merge request before manually starting any merge request pipeline.
  • Only set the milestone when the merge request is likely to be included in the current milestone. This is to avoid confusion around when it'll be merged and avoid moving milestone too often when it's not yet ready.

Testing community contributions locally

When reviewing merge requests from forked repositories, you have several methods to test the changes locally:

  • Use the GitLab CLI:

    shell
    glab mr checkout <MR_ID>

    For more information, see the GitLab CLI commands.

  • Use cURL to apply the diff. Use one of the following methods:

    • Fetch and apply the diff directly:

      shell
      curl --silent <MR_URL>.diff | git apply

      Replace <MR_URL> with the full URL to the merge request. For example: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/1234.diff.

    • Create a Git alias to avoid typing the full URL each time:

      shell
      git config --global alias.mr '!f() { curl --silent "https://gitlab.com/gitlab-org/gitlab/-/merge_requests/$1.diff" | git apply; }; f'

      After the alias is created, use it with just the merge request ID. For example:

      shell
      git mr 1234

  • Use GDK switch:

    shell
    gdk switch <MR_ID>

    [!note] This command also runs gdk update, which updates your development environment. The process can take several minutes to complete.

    For more information, see the GDK switch.rb file.

Add the canonical project/fork as a remote

If you frequently need to checkout upstream branches, you can add the canonical project/fork as a remote:

shell
git remote add upstream https://gitlab.com/<canonical group>/<canonical project>.git

Then:

shell
git fetch upstream
git checkout upstream/<remote-branch-name>

Taking over a community merge request

When an MR needs further changes but the author is not responding for a long period of time, or is unable to finish the MR, GitLab can take it over. A GitLab engineer (generally the merge request coach) will:

  1. Add a comment to their MR saying you'll take it over to be able to get it merged.
  2. Add the label ~"coach will finish" to their MR.
  3. Create a new feature branch from the main branch.
  4. Merge their branch into your new feature branch.
  5. Open a new merge request to merge your feature branch into the main branch.
  6. Link the community MR from your MR and label it as ~"Community contribution".
  7. Make any necessary final adjustments and ping the contributor to give them the chance to review your changes, and to make them aware that their content is being merged into the main branch.
  8. Make sure the content complies with all the merge request guidelines.
  9. Follow the regular review process as we do for any merge request.

The right balance

One of the most difficult things during code review is finding the right balance in how deep the reviewer can interfere with the code created by a author.

  • Learning how to find the right balance takes time; that is why we have reviewers that become maintainers after some time spent on reviewing merge requests.
  • Finding bugs is important, but thinking about good design is important as well. Building abstractions and good design is what makes it possible to hide complexity and makes future changes easier.
  • Enforcing and improving code style should be primarily done through automation instead of review comments.
  • Asking the author to change the design sometimes means the complete rewrite of the contributed code. It's usually a good idea to ask another maintainer or reviewer before doing it, but have the courage to do it when you believe it is important.
  • In the interest of Iteration, if your review suggestions are non-blocking changes, or personal preference (not a documented or agreed requirement), consider approving the merge request before passing it back to the author. This allows them to implement your suggestions if they agree, or allows them to pass it onto the maintainer for review straight away. This can help reduce our overall time-to-merge.
  • There is a difference in doing things right and doing things right now. Ideally, we should do the former, but in the real world we need the latter as well. A good example is a security fix which should be released as soon as possible. Asking the author to do the major refactoring in the merge request that is an urgent fix should be avoided.
  • Doing things well today is usually better than doing something perfectly tomorrow. Shipping a kludge today is usually worse than doing something well tomorrow. When you are not able to find the right balance, ask other people about their opinion.

GitLab-specific concerns

GitLab is used in a lot of places. Many users use our Omnibus packages, but some use the Docker images, some are installed from source, and there are other installation methods available. GitLab.com itself is a large Enterprise Edition instance. This has some implications:

  1. Query changes should be tested to ensure that they don't result in worse performance at the scale of GitLab.com:
    1. Generating large quantities of data locally can help.
    2. Asking for query plans from GitLab.com is the most reliable way to validate these.
  2. Database migrations must be:
    1. Reversible.
    2. Performant at the scale of GitLab.com - ask a maintainer to test the migration on the staging environment if you aren't sure.
    3. Categorized correctly:
  3. Sidekiq workers cannot change in a backwards-incompatible way:
    1. Sidekiq queues are not drained before a deploy happens, so there are workers in the queue from the previous version of GitLab.
    2. If you need to change a method signature, try to do so across two releases, and accept both the old and new arguments in the first of those.
    3. Similarly, if you need to remove a worker, stop it from being scheduled in one release, then remove it in the next. This allows existing jobs to execute.
    4. Don't forget, not every instance is upgraded to every intermediate version (some people may go from X.1.0 to X.10.0, or even try bigger upgrades!), so try to be liberal in accepting the old format if it is cheap to do so.
  4. Cached values may persist across releases. If you are changing the type a cached value returns (say, from a string or nil to an array), change the cache key at the same time.
  5. Settings should be added as a last resort. See Adding a new setting to GitLab Rails.
  6. File system access is not possible in a cloud-native architecture. Ensure that we support object storage for any file storage we need to perform. For more information, see the uploads documentation.

Customer critical merge requests

A merge request may benefit from being considered a customer critical priority because there is a significant benefit to the business in doing so.

Properties of customer critical merge requests:

  • A senior director or higher in Development must approve that a merge request qualifies as customer-critical. Alternatively, if two of their direct reports approve, that can also serve as approval.
  • The DRI applies the customer-critical-merge-request label to the merge request.
  • It is required that the reviewers and maintainers involved with a customer critical merge request are engaged as soon as this decision is made.
  • It is required to prioritize work for those involved on a customer critical merge request so that they have the time available necessary to focus on it.
  • It is required to adhere to GitLab values and processes when working on customer critical merge requests, taking particular note of family and friends first/work second, definition of done, iteration, and release when it's ready.
  • Customer critical merge requests are required to not reduce security, introduce data-loss risk, reduce availability, nor break existing functionality per the process for prioritizing technical decisions.
  • On customer critical requests, it is recommended that those involved consider coordinating synchronously (Zoom, Slack) in addition to asynchronously (merge requests comments) if they believe this may reduce the elapsed time to merge even though this may sacrifice efficiency.
  • After a customer critical merge request is merged, a retrospective must be completed with the intention of reducing the frequency of future customer critical merge requests.

Troubleshooting failing pipelines

There are some cases where pipelines fail for reasons unrelated to the code changes that have been made. Some of these cases are listed here with a potential solution.

Always remember that you don't need to have a passing pipeline in order to ask for a review, or help. If your pipeline is not passing and you have no idea why, feel free to reach out to the team, ask for help from MR coaches by leaving a comment on the MR with @gitlab-bot help as text, or reach out to the Community Discord in the contribute channel.

  • Tests failed for reasons that seem unrelated to the changes: check if it also happens on the default branch. If that's the case you're facing a "broken master" and need to wait for the failure to be fixed on the default branch. After that, you can either rebase your branch, or simply run another pipeline if merged results pipelines are enabled.
  • The danger-review job failed: check if your MR has more that 20 commits. If that's the case, rebase and squash them to have less commits, otherwise try to run the danger-review job again, it might just have been a temporary failure.

Examples

How code reviews are conducted can surprise new contributors. Here are some examples of code reviews that should help to orient you as to what to expect.

"Modify DiffNote to reuse it for Designs": It contained everything from nitpicks around newlines to reasoning about what versions for designs are, how we should compare them if there was no previous version of a certain file (parent vs. blank sha vs empty tree).

"Support multi-line suggestions": The MR itself consists of a collaboration between FE and BE, and documenting comments from the author for the reviewer. There's some nitpicks, some questions for information, and towards the end, a security vulnerability.

"Allow multiple repositories per project": ZJ referred to the other projects (workhorse) this might impact, suggested some improvements for consistency. And James' comments helped us with overall code quality (using delegation, &. those types of things), and making the code more robust.

"Support multiple assignees for merge requests": A good example of collaboration on an MR touching multiple parts of the codebase. Nick pointed out interesting edge cases, James Lopez also joined in raising concerns on import/export feature.

Credits

Largely based on the thoughtbot code review guide.