CODE REVIEW
WORDCAMP ST. LOUIS 2016
RYAN MARKEL
HELLO, WORLD!
CODE REVIEW
ABOUT ME
▸ I’m a (really) long-time WordPress user.
▸ I work at Automattic.
▸ On the WordPress.com VIP team.
▸ I can (kind of) code.
▸ With some help.
▸ On a good day.
OK; SO WHY DO YOU CARE SO
MUCH ABOUT CODE REVIEW?
AND WHY SHOULD I?
All of you, just now
CODE REVIEW
CODE REVIEW IS A
WAY OF LIFE
WHAT IS
WORDPRESS.COM VIP?
DIGRESSION:
CODE REVIEW
WORDPRESS.COM
▸ Largest single WordPress installation in the world
▸ Serving:
▸ 21.5 billion page views per month
▸ 55.8 million new posts per month
▸ Many millions of sites/blogs
CODE REVIEW
WORDPRESS.COM VIP
▸ Enterprise-level WordPress hosting
▸ On the WordPress.com infrastructure
▸ 2.5 billion page views per month
▸ 99.9976% uptime
▸ 349ms average response time
CODE REVIEW
WORDPRESS.COM VIP
▸ Sites run on WordPress.com sites, just like yours and mine
▸ Clients have a custom svn repository for their theme
▸ They commit changes to their theme directly to their
directory on WordPress.com
▸ A problem with a WordPress.com VIP site can affect:
▸ Other VIP sites
▸ More of the WordPress.com network
WE REVIEW ALL CODE
BEFORE DEPLOYING IT
WHY CODE REVIEW?
1.
CODE REVIEW
WHY CODE REVIEW?
▸ Safe code
▸ Finding XSS, unescaped and unsanitized code
▸ Scalable code
▸ Smart queries, cached functions, DRY code
▸ Readable code
▸ Coding standards (whitespace, formatting, etc.)
▸ Learning!
WE DON’T […] REVIEW TO
ADD MORE TIME TO OR DELAY
YOUR LAUNCH SCHEDULES.
WordPress.com VIP
CODE REVIEW
WE DO […] CODE REVIEWS
TO HELP YOU LAUNCH
SUCCESSFULLY.
WordPress.com VIP
CODE REVIEW
WHAT DO YOU LOOK FOR
WHEN YOU REVIEW CODE?
2.
CODE REVIEW
WHAT DO YOU LOOK FOR WHEN YOU REVIEW CODE?
▸ Validation, sanitizing, and escaping
▸ XSS in Javascript
▸ Uncached WordPress functions
▸ Smart fetching of remote data
▸ Terrifying queries that set databases on fire
▸ Best practices and WordPress coding standards
▸ Typos
HOW DO YOU DO CODE
REVIEW?
3.
AUTOMATIC CODE
REVIEW
CODE REVIEW
AUTOMATIC CODE REVIEW
▸ PHP CodeSniffer
▸ WordPress Coding Standards rules
▸ VIP Quickstart and/or VIP Scanner
▸ Continuous integration testing
▸ e.g., Travis
▸ WP Enforcer
MANUAL CODE
REVIEW
THE WORDPRESS.COM VIP
CODE REVIEW PROCESS
DIGRESSION:
THE “DEPLOY
QUEUE”
(REDACTED)
CODE REVIEW
WORDPRESS.COM VIP CODE REVIEW PROCESS
▸ Client commits changes to repository
▸ Changeset displayed in a special view that contains:
▸ Commit itself (diff, revision #, repository data, etc.)
▸ Changelog entry for each revision
▸ Reviewer can either:
▸ Open a ticket to discuss the change and leave notes
▸ Deploy or revert as needed
CODE REVIEW
WORDPRESS.COM VIP CODE REVIEW PROCESS
▸ 9.5 million lines of code reviewed to date
▸ Over 144 thousand individual deploys
▸ Average time from commit to deploy (this includes
review!) is around two hours
THAT’S COOL, BUT WHAT
TOOLS CAN I USE TO
ACCOMPLISH THE SAME?
You, just now again
CODE REVIEW
DO YOU USE
GITHUB?
PULL REQUESTS ARE LIKE
BUILT-IN CODE REVIEW
OPPORTUNITIES
CALYPSO
DIGRESSION:
[CODE REVIEWS] HELP TO
KEEP CODE QUALITY
CONSISTENT,
Calypso Project Documentation
CODE REVIEW
THEY SPREAD OWNERSHIP OF
THE CODE,
Calypso Project Documentation
CODE REVIEW
AND THEY HELP EVERY
PERSON WORKING ON
CALYPSO IMPROVE OVER TIME.
Calypso Project Documentation
CODE REVIEW
CODE REVIEW
CALYPSO
▸ Pull requests are peer reviews waiting to happen
▸ Stay positive - comment on the code, not the person
▸ Have a list of things to look for in code review
▸ Checklists are your friends
▸ When you are creating a pull request
▸ When you are reviewing and (hopefully) merging it
YOU NEED
DOCUMENTATION
CODE REVIEW […] GREATLY
INCREASED THE QUALITY OF
OUR CODEBASE…
Andy Peatling, WordPress.com Developer Blog
CODE REVIEW
…AND HELPED EVERYONE
LEVEL UP THEIR JAVASCRIPT
SKILLS.
Andy Peatling, WordPress.com Developer Blog
CODE REVIEW
WAYS TO DO MANUAL
CODE REVIEW
CODE REVIEW
MANUAL CODE REVIEW
▸ Github pull requests
▸ No one merges their own PR
▸ Use the comments! They are a great tool!
▸ Line number comments are fantastic
▸ If you don’t use Github or a similar tool
▸ Diff reviews (use a good text editor) - WordPress core!
MAKE IT PART OF
YOUR TEAM CULTURE
WHAT IF I’M A SOLO
DEVELOPER? WHAT DO I DO?
A few of you, maybe for the last few minutes
CODE REVIEW
SLEEP ON YOUR
CODE
CODE REVIEW
SELF CODE-REVIEW
▸ Create pull requests or diffs of your own code and queue
them up for review
▸ Don’t merge to master/production/head the same day if
you can help it
▸ Clear your mental context between writing your code and
reviewing your own code
▸ Use automatic code review tools to get you part of the way
there
EVERYONE CAN
DO CODE REVIEW
WHEN NOT TO DO CODE
REVIEW
4.
NEVER
REVIEWED CODE
IS BETTER CODE
THANK YOU
WORDCAMP ST. LOUIS 2016
NO, REALLY; THANK YOU
RYANMARKEL.COM/WCSTL2016
▸ Download of these slides and my
notes
▸ Links to the resources listed and
quoted in this presentation
▸ Contact form so you can reach me
if you have any questions
▸ Lots of blog posts that have
nothing to do with code review,
this talk, or really WordPress at all

Ryan Markel - WordCamp StL 2016 - Code Review

  • 1.
  • 2.
  • 3.
    CODE REVIEW ABOUT ME ▸I’m a (really) long-time WordPress user. ▸ I work at Automattic. ▸ On the WordPress.com VIP team. ▸ I can (kind of) code. ▸ With some help. ▸ On a good day.
  • 4.
    OK; SO WHYDO YOU CARE SO MUCH ABOUT CODE REVIEW? AND WHY SHOULD I? All of you, just now CODE REVIEW
  • 6.
    CODE REVIEW ISA WAY OF LIFE
  • 7.
  • 9.
    CODE REVIEW WORDPRESS.COM ▸ Largestsingle WordPress installation in the world ▸ Serving: ▸ 21.5 billion page views per month ▸ 55.8 million new posts per month ▸ Many millions of sites/blogs
  • 10.
    CODE REVIEW WORDPRESS.COM VIP ▸Enterprise-level WordPress hosting ▸ On the WordPress.com infrastructure ▸ 2.5 billion page views per month ▸ 99.9976% uptime ▸ 349ms average response time
  • 12.
    CODE REVIEW WORDPRESS.COM VIP ▸Sites run on WordPress.com sites, just like yours and mine ▸ Clients have a custom svn repository for their theme ▸ They commit changes to their theme directly to their directory on WordPress.com ▸ A problem with a WordPress.com VIP site can affect: ▸ Other VIP sites ▸ More of the WordPress.com network
  • 13.
    WE REVIEW ALLCODE BEFORE DEPLOYING IT
  • 14.
  • 15.
    CODE REVIEW WHY CODEREVIEW? ▸ Safe code ▸ Finding XSS, unescaped and unsanitized code ▸ Scalable code ▸ Smart queries, cached functions, DRY code ▸ Readable code ▸ Coding standards (whitespace, formatting, etc.) ▸ Learning!
  • 16.
    WE DON’T […]REVIEW TO ADD MORE TIME TO OR DELAY YOUR LAUNCH SCHEDULES. WordPress.com VIP CODE REVIEW
  • 17.
    WE DO […]CODE REVIEWS TO HELP YOU LAUNCH SUCCESSFULLY. WordPress.com VIP CODE REVIEW
  • 18.
    WHAT DO YOULOOK FOR WHEN YOU REVIEW CODE? 2.
  • 19.
    CODE REVIEW WHAT DOYOU LOOK FOR WHEN YOU REVIEW CODE? ▸ Validation, sanitizing, and escaping ▸ XSS in Javascript ▸ Uncached WordPress functions ▸ Smart fetching of remote data ▸ Terrifying queries that set databases on fire ▸ Best practices and WordPress coding standards ▸ Typos
  • 20.
    HOW DO YOUDO CODE REVIEW? 3.
  • 21.
  • 22.
    CODE REVIEW AUTOMATIC CODEREVIEW ▸ PHP CodeSniffer ▸ WordPress Coding Standards rules ▸ VIP Quickstart and/or VIP Scanner ▸ Continuous integration testing ▸ e.g., Travis ▸ WP Enforcer
  • 23.
  • 24.
    THE WORDPRESS.COM VIP CODEREVIEW PROCESS DIGRESSION:
  • 26.
  • 27.
  • 28.
    CODE REVIEW WORDPRESS.COM VIPCODE REVIEW PROCESS ▸ Client commits changes to repository ▸ Changeset displayed in a special view that contains: ▸ Commit itself (diff, revision #, repository data, etc.) ▸ Changelog entry for each revision ▸ Reviewer can either: ▸ Open a ticket to discuss the change and leave notes ▸ Deploy or revert as needed
  • 29.
    CODE REVIEW WORDPRESS.COM VIPCODE REVIEW PROCESS ▸ 9.5 million lines of code reviewed to date ▸ Over 144 thousand individual deploys ▸ Average time from commit to deploy (this includes review!) is around two hours
  • 30.
    THAT’S COOL, BUTWHAT TOOLS CAN I USE TO ACCOMPLISH THE SAME? You, just now again CODE REVIEW
  • 31.
  • 34.
    PULL REQUESTS ARELIKE BUILT-IN CODE REVIEW OPPORTUNITIES
  • 35.
  • 37.
    [CODE REVIEWS] HELPTO KEEP CODE QUALITY CONSISTENT, Calypso Project Documentation CODE REVIEW
  • 38.
    THEY SPREAD OWNERSHIPOF THE CODE, Calypso Project Documentation CODE REVIEW
  • 39.
    AND THEY HELPEVERY PERSON WORKING ON CALYPSO IMPROVE OVER TIME. Calypso Project Documentation CODE REVIEW
  • 40.
    CODE REVIEW CALYPSO ▸ Pullrequests are peer reviews waiting to happen ▸ Stay positive - comment on the code, not the person ▸ Have a list of things to look for in code review ▸ Checklists are your friends ▸ When you are creating a pull request ▸ When you are reviewing and (hopefully) merging it
  • 41.
  • 42.
    CODE REVIEW […]GREATLY INCREASED THE QUALITY OF OUR CODEBASE… Andy Peatling, WordPress.com Developer Blog CODE REVIEW
  • 43.
    …AND HELPED EVERYONE LEVELUP THEIR JAVASCRIPT SKILLS. Andy Peatling, WordPress.com Developer Blog CODE REVIEW
  • 44.
    WAYS TO DOMANUAL CODE REVIEW
  • 45.
    CODE REVIEW MANUAL CODEREVIEW ▸ Github pull requests ▸ No one merges their own PR ▸ Use the comments! They are a great tool! ▸ Line number comments are fantastic ▸ If you don’t use Github or a similar tool ▸ Diff reviews (use a good text editor) - WordPress core!
  • 46.
    MAKE IT PARTOF YOUR TEAM CULTURE
  • 47.
    WHAT IF I’MA SOLO DEVELOPER? WHAT DO I DO? A few of you, maybe for the last few minutes CODE REVIEW
  • 48.
  • 49.
    CODE REVIEW SELF CODE-REVIEW ▸Create pull requests or diffs of your own code and queue them up for review ▸ Don’t merge to master/production/head the same day if you can help it ▸ Clear your mental context between writing your code and reviewing your own code ▸ Use automatic code review tools to get you part of the way there
  • 50.
  • 51.
    WHEN NOT TODO CODE REVIEW 4.
  • 52.
  • 53.
  • 54.
  • 55.
    NO, REALLY; THANKYOU RYANMARKEL.COM/WCSTL2016 ▸ Download of these slides and my notes ▸ Links to the resources listed and quoted in this presentation ▸ Contact form so you can reach me if you have any questions ▸ Lots of blog posts that have nothing to do with code review, this talk, or really WordPress at all