Contributing¶
This guide covers how to contribute to Carbon Connect, including branch conventions, PR workflows, and the TDD gate.
Getting Started¶
- Clone the repository
- Follow the Local Development Setup instructions
- Create a feature branch from
main - Write tests, implement changes, verify locally
- Open a PR following the template
Branch Naming¶
Branches follow a type-based naming convention:
| Prefix | Purpose | Example |
|---|---|---|
feature/ | New functionality | feature/carbon-profile-form |
fix/ | Bug fixes | fix/dashboard-login-issues |
chore/ | Maintenance, config | chore/github-config-improvements |
docs/ | Documentation only | docs/api-reference-update |
refactor/ | Code restructuring | refactor/matching-engine-weights |
test/ | Test additions/fixes | test/grant-pipeline-coverage |
security/ | Security patches | security/fix-dependabot-vulns |
Commit Conventions¶
Commits follow the Conventional Commits specification:
Types¶
| Type | Description |
|---|---|
feat | New feature |
fix | Bug fix |
docs | Documentation changes |
test | Adding or updating tests |
refactor | Code restructuring (no behavior change) |
chore | Build, CI, dependency updates |
security | Security-related changes |
perf | Performance improvements |
Examples¶
feat(matching): add carbon certification scoring component
fix(auth): resolve JWT refresh token race condition
test(pipeline): add IATI client integration tests
chore(deps): update anthropic SDK to 0.40.0
Pull Request Process¶
PR Template¶
Every PR must include these sections:
## Summary
Brief description of what this PR does.
## TDD Proof
- [x] Tests written before production code
- [x] Evidence of failing test run included
- [x] All tests passing locally
- [x] Docs/configs updated
- [x] No secrets introduced
## Test Evidence
<!-- Paste screenshots or terminal output showing:
1. Tests failing BEFORE implementation
2. Tests passing AFTER implementation -->
## Changes
- List of specific changes made
TDD Gate¶
The PR TDD Gate workflow (pr-tdd-gate.yml) automatically checks every PR for:
- Presence of a
## TDD Proofsection in the PR body - All checklist items are checked (
[x]) - Specifically validates:
- "Tests written before production code"
- "Evidence of failing test run included"
- "All tests passing locally"
Merge Blocking
The TDD Gate blocks merge if any required item is unchecked or the section is missing. This cannot be bypassed without admin override.
Quality Gates¶
Before a PR can be merged, these automated checks must pass:
| Check | Description | Required |
|---|---|---|
| Backend CI | pytest (533 tests) with coverage | Yes |
| Frontend CI | ESLint + TypeScript compilation | Yes |
| PR TDD Gate | TDD proof in PR description | Yes |
| Quality Gates | Lint + type check + security scan | Yes |
| Dependency Review | Vulnerability and license check | Yes (for dependency changes) |
Code Review¶
Review Expectations¶
- All PRs require at least one approval
- Reviewers should verify TDD evidence
- Focus on:
- Correctness of business logic
- Error handling completeness
- Test quality and coverage
- Performance implications
- Security considerations
Auto-Labeling¶
PRs are automatically labeled based on:
- File paths --
backend,frontend,infra,docs - Size -- XS (<10 lines), S (<50), M (<200), L (<500), XL (>500)
XL pull requests receive a warning to consider breaking into smaller PRs.
Pre-commit Hooks¶
Install pre-commit hooks after cloning:
Hooks run automatically on every commit:
| Hook | Description |
|---|---|
check-added-large-files | Block files larger than 500 KB |
check-merge-conflict | Detect unresolved conflict markers |
detect-private-key | Prevent committing private keys |
check-yaml | Validate YAML syntax |
detect-secrets | Scan for hardcoded secrets |
Manual Run¶
# Run on all files
poetry run pre-commit run --all-files
# Update secrets baseline (when intentional secrets change)
poetry run detect-secrets scan > .secrets.baseline
Release Process¶
- Create a release branch or tag following semver:
v1.2.3 - The Release workflow generates a changelog from merged PRs
- A GitHub Release is created with categorized changes
- Production deployment is triggered (with manual approval)
Dependency Management¶
Python (Backend)¶
# Add dependency
poetry add <package>
# Add dev dependency
poetry add --group dev <package>
# Update dependencies
poetry update
Node.js (Frontend)¶
Automated Updates¶
Dependabot is configured for:
- Weekly pip dependency updates
- Weekly npm dependency updates
- Automatic PR creation for security patches