Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Software Development Practices for ROOST Projects

Good software development lifecycle (SDLC) is an endless journey, but it’s hard to make progress if you don’t know where you’re going. This document is intended to be a checklist for ROOST projects to work through as they mature.

Document status: Working draft. Suggested categories, checks, and priority below.

Quality vision

ItemDescription/NotesPriority
Intention statementSets the ethos for what kind of software we’re building and for who.P0

Versioning

ItemDescription/NotesPriority
VersioningROOST projects are using semantic versioningP1
BranchingTo start, ROOST projects should use main as the branch for development, and use the GitHub Release feature (via semver-tagged commits) to denote releases. This will need to be revisited as projects mature and have to handle backporting patches, but the ethos is “minimum viable complexity.”P0

Release cadence

ItemDescription/NotesPriority
Initial Process* Identify big features on 12 month timeline. These are substantial changes (think blog headline).
* Estimate delivery time in quarters of big features and group features with similar timelines together. Bundle breaking changes when possible.
* Add minor features/changes to timeline. Bundle together for as consistent cadence as possible.
* Patch versions can be cut at any time as needed for bug fixes.		P0

Project conventions

ItemDescription/NotesPriority
README.mdAll projects/repos must have a README file in markdown format. At minimum, the README must have a description of what the project does, information for how to start using it (can link to longer getting started documentation), and links to the CONTRIBUTING.md and Code of Conduct.P0
AGENTS.mdAdd a markdown file to guide AI coding assistants following the open AGENTS.md formatP1
API formatProjects should follow the [TBD] API description formatP1
CHANGELOG.mdProjects must have a CHANGELOG.md file, following the Keep A Changelog formatP0
Contributor guidanceAll projects must have a CONTRIBUTING.md file at minimum. By default this is inherited from ROOST’s .github, but can be updated at the per-project level. Additional documentation for first time contributors describing project conventions and code quality expectations is recommended.P0
CODE_OF_CONDUCT.mdAll projects must have a CODE_OF_CONDUCT.md with the ROOST Code of Conduct. This is automatically inherited from ROOST’s .github and should not be changed.P0

Testing practices

ItemDescription/NotesPriority
Tests for all commits1) Unit tests
2) Lint checks
3) Integration tests
4) Build checks		P0
Release testsEnd-to-end testing for Major and Minor releasesP0
CI checksDetermine the relevant CI checks for the project and enforce that all CI checks passP0

Dependency handling

ItemDescription/NotesPriority
Version alertsAutomated alerts and process for updating dependenciesP0
Vulnerability alertsAutomated alerts and process for updating dependenciesP0
License scanningEnsuring compatible licenses for dependencies added via CIP1
Vendoring policyDo we ever vendor deps?P2

Security in CI/CD

ItemDescription/NotesPriority
FuzzingDetermine what surfaces or characteristics of surfaces should be fuzzed and at what cadence (including planning for triage and remediation at that cadence)P2
Code analysisCodeQL, secret and token scanning, etcP1
Binary artifact detectionFlagging checked in binariesP2
Commit-time vuln detectionFlags for packages with known CVEsP2

Release security

ItemDescription/NotesPriority
Signed releasesP3
Security report intakeSee .github/security.mdP0
Incident response processSee OpenSSF processP1

PR triage and code review

ItemDescription/NotesPriority
Issue labelingHow can this be automated or less burdensome?P2
PR labelingHow can this be automated or less burdensome, and identify priority?P2
Code review guidanceProject documentation should include a section on how to help with code review, and highlight any particular areas code reviewers should pay attention toP1

Support

ItemDescription/NotesPriority
Breaking changes policyFollowing semver, breaking changes go in Major versions. This policy is about when it’s appropriate to introduce a breaking change and how it should be communicated to users (timeline, expectations, support)P1
Long term support (LTS) policyHow many versions back does the community support?P3 – address later

Deprecation

ItemDescription/NotesPriority
Deprecation processP3 – address when needed