Hello new contributor! Thank you for contributing your time and expertise to the Package Analysis project. We're delighted to have you on board.
This document describes the contribution guidelines for the project.
If you have any contribution-related questions, please get in touch! Here are some ways to reach current contributors
- Open a new issue (strongly preferred)
- Via the OpenSSF Securing Critical Projects Working Group mailing list or Slack channel
Note: for minor changes (typos, documentation improvements), feel free to open a pull request directly.
Note: Before you start contributing, you must read and abide by our Code of Conduct.
- Create a GitHub account
- Set up your development environment
You must install these tools:
For running/testing locally, the following additional tools are required:
docker
: The external containerpodman
: The internal containerdocker-compose
for end-to-end testing
Then clone the repository, e.g:
$ git clone [email protected]:ossf/package-analysis.git
$ cd package-analysis
Prefer smaller PRs to make reviewing easier. Larger changes can be split into smaller PRs by branching off previous (unmerged) branches rather than main.
Some things that are OK:
- not handling the error when
defer
close() on an HTTP response body
Follow official Go comment style: https://tip.golang.org/doc/comment. In particular, all exported (capitalised) types and functions should have a comment explaining what they do. The comment should start with the type/function name.
- stdlib imports grouped first, then 3rd party packages, then local imports
- each group separated by a blank line and ordered alphabetically
- Remove redundant import aliases: yes
- Sorting type: gofmt
- Move all imports into a single declaration: yes
- Group stdlib imports: yes
- Move all stdlib imports in a single group: yes
- Group: yes, current project packages