We review code on VIP Go to meet the security and performance objectives of our clients. We review security because pushing a site live with insecure code presents a liability to you and your whole user base. We review performance because going live and finding out that your code can’t handle the traffic levels that your site expects puts most of your launch efforts to waste. We also review for development best practices to make sure that your site will continue to live on without significant maintenance costs or major issues when WordPress is upgraded.
VIP may perform a scheduled initial code review of the entire codebase. Once this initial review is complete, we’ll switch to a review workflow for incremental development.
Before the initial code review
Before code is submitted:
- Remove unused or unnecessary code that does not need to be reviewed from the
- Make sure all code has been run through PHP Code Sniffer using the VIP Coding Standards, and that as many blockers as possible have been addressed.
- Submit the PHPCS output.
- Be ready to enter a code freeze during the code review process.
This will ensure the speediest review possible, and avoid reviewing known issues or non-production code.
During the initial code review
We offer both automated scans and manual reviews to our customers. This process is the same for both your initial codebase review, and for ongoing PR reviews.
For all customers on VIP Go, when you open a PR in the GitHub the VIP Code Analysis bot will automatically scan your entire codebase against VIP Coding Standards. Please refer to this guide to PHPCS review feedback. We strongly recommend looking at this document before submitting your code to expedite your review process.
If you have questions about how to address specific errors or warnings, you can open a ticket with our team.
Manual code review
Clients with Application Support may also request specific developer feedback on your codebase (including themes and custom plugins) by adding the “[VIP] Review Request” label to your PR in
master. Before adding the label, ensure that you’ve addressed as many errors and warnings from the automated scan as possible. Please note that pull requests without the label will not be reviewed.
You can find the labels in the GitHub UI on the right sidebar of your pull request:
Where possible, we recommend keeping PRs small by breaking them down into atomic commits. If the changeset is larger than 1000 lines of code, it will need to be scheduled for a review. The duration of manual code review can vary depending on the complexity of the code, and your Technical Account Manager will help you determine an appropriate timeline for your project.
After the initial code review
After the initial code review, you can continue to follow the same workflow for automated scans on new PRs, or manual code review for new PRs opened in the
master branch of GitHub.