Engineering Playbook
Why Have A Playbook
- To increase overall efficiency for team members and the whole team in general.
- To reduce the number of mistakes and avoid common pitfalls.
- To strive to be better engineers and learn from other people's shared experiences.
Checklist
This checklist helps to ensure that our projects meet our Engineering Fundamentals.
Source Control
- ✅ The default target branch is locked.
- ✅ Merges are done through PRs.
- ✅ PRs reference related work items.
- ✅ PRs must be approved before they can be merged. A required number of approvals are configured. Code Owners are configured.
- ✅ PRs could be merged only if the pipeline is green.
- ✅ PRs could be merged only if all threads are resolved.
- ✅ The project labels are configured and documented. PRs should be labeled.
- ✅ Delete the source branch on merge by default.
- ✅ Commit history is consistent and commit messages are informative (what, why). Commitlint is configured.
- ✅ The Changelog structure is documented and Changelog updating is a part of PR / Release work.
- ✅ Consistent branch naming conventions are configured.
- ✅ Clear documentation of repository structure.
- ✅ Documented links to all the eternal project resources (e.g. Jira, Notion)
- ✅ The branching strategy is defined and documented.
- ✅ Clear documentation of tech stack.
- ✅ The naming convention is documented.
- ✅ Secrets are not part of the commit history or made public.
- ✅ For public repositories, the default branch should contain the following files: Description, README, Code of conduct, Contributing, License, Security policy, Issue templates, Pull request template
- ✅ The policy over generated code by AI is documented.
- ✅ NPM dependencies have strictly specified versions.
Testing
- ✅ The Testing Trophy is documented.
- ✅ Test Desiderata is documented.
- ✅ TDD approach is well described.
- ✅ The Testing Conventions are documented.
- ✅ The Testing Strategy is documented.
- ✅ MR checklist contains a point about the required tests adding/updating.
- ✅ Impact Analyses is documented.
CI/CD
- ✅ Dependabot is configured.
- ✅ Danger is configured.
- ✅ All the tests are automated.
- ✅ Code coverage reports are configured and automated.
- ✅ Code quality Linters and Prettier are configured and automated.
- ✅ Linters for markdown are configured and automated: markdownlint, github-action-markdown-link-check, write-good
- ✅ All the builds and deploys are configured and automated.
- ✅ Bundle-size analyzers are configured and automated.
- ✅ Copy-Paste analyzer is configured and automated.
- ✅ commitlint is configured and automated.
- ✅ The release strategy is documented and automated.
- ✅ The Changelog generation is generated or checked in the CI.
Security
- ✅ Access is only granted on an as-needed basis
- ✅ Secrets are stored in secured locations and not checked into code
- ✅ Data is encrypted in transit (and if necessary at rest) and passwords are hashed
- ✅ Is the system split into logical segments with a separation of concerns? This helps limit security vulnerabilities.
Quick References
- Secure Coding Practices Quick Reference
- Web Application Security Quick Reference
- Security Mindset/Creating a Security Program Quick Start
Observability
- ✅ Significant business and functional events are tracked and related metrics are collected.
- ✅ Application faults and errors are logged.
- ✅ The health of the system is monitored.
- ✅ The client and server-side observability data can be differentiated.
- ✅ Logging configuration can be modified without code changes (eg: verbose mode).
- ✅ Incoming tracing context is propagated to allow for production issue debugging purposes.
- ✅ GDPR compliance is ensured regarding PII (Personally Identifiable Information).
Agile/Scrum
- ✅ Process Lead (fixed/rotating) runs the daily standup
- ✅ The agile process is clearly defined within the team.
- ✅ The Dev Lead (+ PO/Others) is responsible for backlog management and refinement.
- ✅ Team Agreements are documented.
- ✅ A working agreement is established between team members and customers.
- ✅ The delay in managerial decision-making issue is described to all the team members.
- ✅ Critical chain conception is described and documented.
Retrospectives
- ✅ Retrospectives are conducted each week/at the end of each sprint.
- ✅ The team identifies 1-3 proposed experiments to try each week/sprint to improve the process.
- ✅ Experiments have owners and are added to the project backlog.
- ✅ The team conducts longer retrospectives for Milestones and project completion.
Design Reviews
- ✅ The process for conducting design reviews is included in the Working Agreement.
- ✅ Design reviews for each major component of the solution are carried out and documented, including alternatives.
- ✅ Stories and/or PRs link to the design document.
- ✅ Each user story includes a task for design review by default, which is assigned or removed during sprint planning.
- ✅ Project advisors are invited to design reviews or asked to give feedback on the design decisions captured in the documentation.
- ✅ Discover all the reviews that the customer's processes require and plan for them.
- ✅ Clear non-functional requirements captured.
Code Reviews
- ✅ There is a clear agreement in the team as to the function of code reviews.
- ✅ The team has a code review checklist or established process.
- ✅ A minimum number of reviewers (usually 2) for a PR merge is enforced by policy.
- ✅ Linters/Code Analyzers, tests and successful builds for PR merges are set up.
- ✅ The code review deadlines are described
- ✅ The code review exceptions handling is described
- ✅ The required number of reviewers is described
- ✅ There is a process to enforce a quick review turnaround.
Developer Experience (DevEx)
- ✅ The list of recommended software is provided.
Rush.js and PNPM monorepository
- ✅ The package manager is
pnpm
. - ✅
pnpm
workspaces are enabled. - ✅ All the duplicated configs are moved to separate packages.
- ✅
repository.url
is set in therush.json
. - ✅
ensureConsistentVersions
is set totrue
in therush.json
. - ✅
strictPeerDependencies
is set totrue
in thepnpm-config.json
- ✅ The build cache is enabled and configured.
- ✅ Command and scripts are configured through the
command-line.json
andautoinstallers
(if relevant).