Thank you for your interest in contributing to Apache Trusted Releases (ATR)! This guide will help you get started.
For detailed ASF policies, commit message guidelines, and security considerations, see the contribution policies guide.
IMPORTANT: New contributors must introduce themselves on the development mailing list first, to deter spam. Please do not submit a PR until you have introduced yourself, otherwise it will likely be rejected.
Subscribe to the mailing list: Send an email with empty subject and body to dev-subscribe@tooling.apache.org and reply to the automated response.
Fork and clone the repository:
git clone https://github.com/YOUR_USERNAME/tooling-trusted-releases.git cd tooling-trusted-releases git remote add upstream https://github.com/apache/tooling-trusted-releases.git git config pull.rebase true
This configures origin to point to your fork and upstream to point to the Apache repository. Setting pull.rebase true keeps your commit history clean by rebasing rather than creating merge commits.
Important: Never commit directly to your fork's main branch. Always create feature branches for your work. This keeps your main in sync with upstream and avoids conflicts.
Before starting new work, sync your fork with upstream:
git checkout main
git pull upstream main
git push origin main
The git push origin main updates your fork on GitHub. Do this regularly to keep your fork current.
Install dependencies (includes pre-commit, dev tools, and test dependencies):
# Install uv if you don't have it curl -LsSf https://astral.sh/uv/install.sh | sh # Install all dependencies uv sync --frozen --all-groups
Set up pre-commit hooks:
uv run pre-commit --frozen install
Run the server: See DEVELOPMENT.md for detailed instructions.
Create a branch with a descriptive name:
git checkout -b fix-typo-in-docs
Make your changes following our code conventions
Run checks and tests before committing:
make check # Required: lints and type checks sh tests/run-e2e.sh # Required: end-to-end tests sh tests/run-unit.sh # Required: unit tests
All checks and tests must pass locally before submitting. If pip-audit is reporting false positive CVEs, try running uv run --frozen pre-commit clean first.
Commit with a clear message (see commit style below)
Rebase on main before pushing:
git fetch upstream git rebase upstream/main
If you have conflicts, resolve them in each file, then git add the resolved files and run git rebase --continue. If you get stuck, git rebase --abort returns to your previous state.
Push your branch:
git push origin your-branch-name
If you‘ve rebased a branch that was previously pushed, you’ll need to force push:
git push --force-with-lease origin your-branch-name
Open a pull request to the main branch
Participate in review - we may request changes
PRs that fail to demonstrate proper local testing or do not complete the PR template may be closed.
Use clear, concise commit messages:
Format:
Good examples:
Add distribution platform validation to the compose phase Fix a bug with sorting version numbers containing release candidates Update dependencies
Poor examples:
fixed stuff Updated the code. refactoring vote resolution logic
For complex changes, add a body separated by a blank line explaining what and why (not how).
# noqa or # type: ignoreSee the full code conventions for complete guidelines.
# Full pre-commit checks (required before submitting PR) make check # End-to-end tests (required before submitting PR) sh tests/run-e2e.sh # Unit tests (required before submitting PR) sh tests/run-unit.sh # Browser tests (requires Docker) sh tests/run-playwright.sh # Quick pre-commit checks (for rapid iteration) make check-light
Run uv run --frozen pre-commit clean if pip-audit reports false positive CVEs during checks.
When temporarily ignoring a CVE in pip-audit:
Before your first contribution, sign the Apache ICLA. This is a one-time requirement.
If your employer holds rights to your work, a CCLA may also be needed.
All contributions are licensed under Apache License 2.0. Third-party dependencies must be compatible (Category A licenses).
Follow the ASF Code of Conduct.
ATR's primary goal is to prevent supply chain attacks. When contributing:
If you prefer not to use GitHub, you can email patches using standard Git patch formatting.