Guidebook: Developing with VIP

Code review

VIP’s priority is to ensure that your site is there when you need it, which means we care about its performance and security. Code review is a key component of ensuring your site is secure and performance. We offer both automated checks and manual reviews to clients.

VIP’s code review focuses on the performance and security considerations in PHP, custom JavaScript, and SVG files. We do not review HTML, CSS, SASS, many popular third-party JavaScript libraries, or built JavaScript files.

We’ll schedule an initial code review of the entire code base. You will continue receiving this feedback automatically on all pull requests to your GitHub repository.

We offer two levels of manual code review:

  • Full: A developer will read every line of your code, including themes and custom plugins.
  • Enhanced: Your theme and custom plugins are reviewed line-by-line. Third-party plugins will go through an automated scan (see below).

Automated checks: Even if you don’t receive manual review, your entire code base will be automatically scanned with VIP’s PHP CodeSniffer (PHPCS) standard with an initial report sent to your developers. VIP will answer any questions about specific errors or warnings if the client wishes to refactor the code.

Initial review #

For clients on the Full or Enhanced levels of review, please allow for 10-15 business days in your project timeline to complete the first and subsequent review cycles. Please note, exact timeframe can vary depending on various factors – ask your TAM for more details. Before you submit your code for review, ensure it’s been thoroughly tested, scanned using PHPCS with the WordPress-VIP-Go ruleset, and as many errors and warnings as possible have been addressed.

↑ Top ↑

Ongoing review #

After the initial review, clients on the Full and Enhanced review levels will have a GitHub pull request workflow enabled. This protects the master branch from merges without our review. The pull request queue is intended to streamline faster deployments, therefore, PRs consisting of more than 1000 lines of reviewable code (PHP, JS, and SVG) will need to be scheduled, and follow the same process and timelines as the initial review.

For clients without manual review, we recommend following a similar workflow to enable the VIP code analysis bot to provide automated feedback.

We take code review seriously and understand that there may be many questions along the way. If you need assistance, please open a ticket and we’d be happy to provide guidance.

↑ Top ↑

Further reading #

Previous: Local development for VIP sitesNext: How to use PHP_CodeSniffer during VIP development