diff --git a/docs/community/maintainer/pr-review.md b/docs/community/maintainer/pr-review.md new file mode 100644 index 0000000000..1539f9f703 --- /dev/null +++ b/docs/community/maintainer/pr-review.md @@ -0,0 +1,24 @@ +# Pull Request Review Policy + +This document outlines the review policy for pull requests in the Trivy project. + +## Core Principles + +### 1. All Changes Through Pull Requests +All changes to the `main` branch must be made through pull requests. +Direct commits to `main` are not allowed. + +### 2. Required Approvals +Every pull request requires approval from at least one CODEOWNER before merging. + +For changes that span multiple domains (e.g., both vulnerability and misconfiguration scanning), approval from at least one code owner from each affected domain is required. + +When a pull request is created by the only code owner of a domain, approval from any other maintainer is required. + +When a code owner wants additional input from other owners or maintainers, they should comment requesting feedback and wait for others to approve before providing their own approval. +This prevents accidental merging by the PR author. + +### 3. Merge Responsibility +- **General Rule**: The pull request author should click the merge button after receiving required approvals +- **Exception**: For urgent fixes (hotfixes), a CODEOWNER may merge the PR directly +- **External Contributors**: Pull requests from external contributors should be merged by a CODEOWNER \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index f0e5df436b..7c82dc6b67 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -224,6 +224,7 @@ nav: - Overview: community/contribute/checks/overview.md - Add Service Support: community/contribute/checks/service-support.md - Maintainer: + - PR Review: community/maintainer/pr-review.md - Release Flow: community/maintainer/release-flow.md - Backporting: community/maintainer/backporting.md - Help Wanted: community/maintainer/help-wanted.md