Manual code review

Customers with Application Support or Premier Support can request manual code reviews and feedback from the WordPress VIP team for pull requests.

The goal of a manual code review is to provide feedback that addresses:

• Security, which includes the security of a site’s access, data, and its users.
• Performance, which includes how well a site can handle normal and peak traffic and how quickly a site’s content renders.
• Manual code review can also provide feedback on development best practices such as maintainability, defensive coding practices, clarity, and much more.

Where possible, it is recommend to create small pull requests by breaking them down into atomic commits. If a changeset is larger than 1,000 lines of code, it will need to be scheduled for a review. 

The duration of manual code review can vary depending on the complexity of the code. Customers with a Technical Account Manager (TAM) can request assistance with determining an appropriate timeline for a project.

The value of manual code review

The value of manual code reviews to customers should be considered. By definition, requesting a code review from WordPress VIP at the point of being ready to deploy the code is the most expensive time to get input from WordPress VIP.

VIP’s automated checks can help catch security, performance, and platform incompatibility issues, so any remaining issues that WordPress VIP may find in a manual code review will typically require more substantial architectural changes.

Customers benefit most from WordPress VIP’s input when it is requested earlier in the development cycle when the business cost of change is significantly lower. Code review requests for trivial changes or when the customer would be unwilling or unable to accommodate the suggestions have little value; they add an artificial workflow block to customers being able to deploy their code efficiently.

Limitations

Manual code reviews are only available for:

• Customers with Application or Premier Support packages.
• A pull request that contains custom application code. Pull requests for third-party plugin code will receive automated scans and feedback by the VIP Code Analysis Bot. Customers can also scan third-party plugin code locally with PHPCS.
• A pull request that contains code that is complete and ready to merge. Draft pull requests cannot be reviewed.
• A pull request that targets an application’s production branch and has a [VIP] Review Request label applied to it.
• Manual code review focuses on performance and security considerations in PHP, custom JavaScript, and SVG files. Reviewers will ignore HTML, CSS, SASS, many popular third-party JavaScript libraries, or built JavaScript files.

Request a manual code review

All pull requests made to a wpcomvip GitHub repository for a WordPress application will receive code feedback from automated scans by the VIP Code Analysis Bot.

Address as many errors and warnings reported by the VIP Code Analysis Bot scan as possible before requesting a manual code review from WordPress VIP.

It is possible that after an automated scan a pull request will automatically be added to the manual code review queue. The VIP Code Analysis Bot will leave a comment on the pull request to indicate if this has occurred.

When a manual code review is an option for a pull request, the Bot will explain in a comment how to add a label to request a review. If this message appears and a review is needed, add the label [VIP] Review Request to the pull request.

The labels field can be found in the GitHub UI on the right sidebar of a pull request:

Pull requests against a review branch, that are not drafts, with the label [VIP] Review Request, will surface as a new review request in WordPress VIP’s internal review queue. The VIP Team will review the pull request directly on GitHub, and suggest any changes by leaving comments.

After the WordPress VIP team has reviewed a pull request, the customer’s team should review the feedback and make any necessary changes. If further feedback is needed, “dismiss” the review. This process continues until there are no outstanding issues, at which point the WordPress VIP team will “approve” the request.

Expedite the manual code review process

The following recommendations for creating pull requests can help expedite the manual code review process:

• Best practices for reducing review times for a pull request..
• How to reduce a large pull request to avoid scheduling reviews.

Requesting urgent manual code reviews

Some customer application repositories are configured to block merging of pull requests without a review from WordPress VIP. Users with Admin access to the GitHub repository have the ability to bypass this requirement and merge the pull request. For urgent changes, this is often the fastest way to deploy the pull request.

Customers with Application Support or Premier Support packages can request VIP to urgently review changes after they have been merged by creating a VIP Support request. In the request, provide a link to the specific pull request along with other details that can help VIP to provide meaningful feedback.

If a GitHub Admin is unable to merge a pull request, an expedited review from VIP can be requested by creating a VIP Support ticket set to an “Urgent” priority. If the exact change has already been approved by VIP in a different repository, the review process can be greatly expedited if a link to the previously approved pull request is included in the request. As with non-urgent code reviews, if the changeset is larger than 1000 lines of reviewable code, it must be scheduled for review.