Requirements
- At least one approving review from someone other than the author is required before a PR can be merged into a production branch.
- Reviewers must be qualified — typically a developer or manager familiar with the area of the change.
- Branch protection enforces the review requirement on
master(and any branch matchingrelease/*). - CI must pass — tests, lint, security scans, build.
- No self-merging without an approving review.
What reviewers check
- Correctness — does the change do what’s intended?
- Security — see Secure coding.
- Tests — adequate unit/integration coverage for the change.
- Migrations — backward-compatible; safe rollout plan.
- Logging — no sensitive data; adequate observability.
- Documentation — public APIs and operational changes documented.
- Secrets and environment variables. No secret values in
.env,config.yaml,values.yaml, container images, Helm charts, Terraform state, static KubernetesSecretmanifests, deployment-tool environment blocks, or CI logs. Every new env var that holds a secret must source from Vault at runtime via a workload-bound auth method (Vault AWS / Kubernetes / AppRole / OIDC) — see Secrets Management → Application configuration and environment variables..env.examplemay carry placeholder values only.
Sensitive areas
Changes to authentication, IAM/RBAC, billing, customer-data export, and key-management code paths require a second reviewer from the Security team via CODEOWNERS.Emergency changes
Emergency changes (production hotfix) follow the Change Management emergency-change procedure: deploy first, post-deploy review and authorization within 24 hours.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |