Please note: We take OpenBao's security and our users' trust very seriously. If you believe you have found a security issue in OpenBao, please responsibly disclose by contacting us at [email protected].
First: if you're unsure or afraid of anything, just ask or submit the issue or pull request anyways. You won't be yelled at for giving it your best effort. The worst that can happen is that you'll be politely asked to change something. We appreciate any sort of contributions, and don't want a wall of rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution won't clash or be obviated by OpenBao's normal direction. A great way to do this is via the GitHub Discussions.
This policy prohibits the utilization or copy from any source that is protected by a source-available license agreement including Business Source License 1.1. This specifically includes all source repository members under the Hashicorp GitHub organization. It is the intention of this policy that when developing for feature parity, bug fixes, CVEs, etc. in comparison to Hashicorp Vault that a clean room methodology be used and all deliverables made original.
OpenBao adheres to the Linux Foundation's DCO.
All contributors are required to confirm their legal rights to the source they
contribute. This is done through a "DCO Sign Off". Note that this is different from
commit signing, such as using PGP
or gitsign
.
To add your sign-off, include the --signoff option in your git commit
or git rebase
commands:
# Sign off a commit
git commit --signoff -m"my commit"
# Add a signoff to the last commit you made
git commit --amend --signoff
# Sign off every commit in your branch
git rebase --signoff master
This will add a line similar to the following at the end of your commit:
Signed-off-by: Alex Smith <[email protected]>
Signing off a commit signifies your agreement to the terms outlined at https://developercertificate.org/ for that specific contribution. Any contribution that lacks a sign-off to this agreement will not be accepted by the OpenBao project.
This section will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can quickly merge or address your contributions.
-
Make sure you test against the latest released version. It is possible we already fixed the bug you're experiencing. Even better is if you can test against the
development
branch, as the bugs are regularly fixed but new versions are only released every few months. -
Provide steps to reproduce the issue, and if possible include the expected results as well as the actual results. Please provide text, not screen shots!
-
If you are seeing an internal OpenBao error (a status code of 5xx), please be sure to post relevant parts of (or the entire) OpenBao log, as often these errors are logged on the server but not reported to the user.
-
If you experienced a panic, please create a gist of the entire generated crash log for us to look at. Double check no sensitive items were in the log.
-
Respond as promptly as possible to any questions made by the OpenBao team to your issue.
-
The issue is reported.
-
The issue is verified and categorized by an OpenBao collaborator. Categorization is done via tags. For example, bugs are marked as "bugs".
-
Unless it is critical, the issue may be left for a period of time (sometimes many weeks), giving outside contributors -- maybe you!? -- a chance to address the issue.
-
The issue is addressed in a pull request or commit. The issue will be referenced in the commit message so that the code that fixes it is clearly linked.
-
The issue is closed.
-
Issues that are not reproducible and/or not gotten responses for a long time are stale issues. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant, we encourage reopening them.
When submitting a PR you should reference an existing issue. If no issue already exists, please create one. This can be skipped for trivial PRs like fixing typos.
Creating an issue in advance of working on the PR can help to avoid duplication of effort, e.g. maybe we know of existing related work. Or it may be that we can provide guidance that will help with your approach.
Your pull request should have a description of what it accomplishes, how it does so, and why you chose the approach you did. PRs should include unit tests that validate correctness and the existing tests must pass. Follow-up work to fix tests does not need a fresh issue filed.
Someone will do a first pass review on your PR making sure it follows the guidelines in this document. If it doesn't we'll mark the PR incomplete and ask you to follow up on the missing requirements.
Please include a file within your PR named changelog/#.txt
, where #
is your
pull request ID. There are many examples under changelog, but
the general format is
```release-note:CATEGORY
COMPONENT: summary of change
```
CATEGORY is one of security
, change
, feature
, improvement
, or bug
.
Your PR is almost certain to be one of bug
or improvement
, but don't
worry too much about getting it exactly right, we'll tell you if a change is
needed.
To determine the relevant component, consult CHANGELOG and pick whichever one you see that seems the closest match.
You do not need to include the link at the end of the summary that appears in CHANGELOG.md, those are generated automatically by the changelog-building process.
How you contribute to the UI depends on what you want to contribute. If that is a new feature, please submit an informational issue first. That issue should include a short description of the proposed feature, the use case, the approach you're taking, and the tests that would be written. A mockup is optional but encouraged.
Bug fixes are welcome in PRs but existing tests must pass and updated logic should be handled in new tests. You needn't submit an issue first to fix bugs.
Keep in mind that the UI should be consistent with other areas of OpenBao. The UI should be user-centered, informative, and include edge cases and errors— including accommodations for users who may not have permissions to view or interact with your feature. If you are not comfortable with UI design, an OpenBao designer can take a look at your work— just be aware that this might mean it will add some time to the PR process.
Finally, in your code, try to avoid logic-heavy templates (when possible, calculate values in the .js file instead of .hbs) and Ember anti-patterns. And most of all, if you have any questions, please ask!
If you have never worked with Go before, you will have to complete the following steps listed in the README, under the section Developing OpenBao.