Skip to end of metadata
Go to start of metadata

Task Force objective

The project best practices task force intends to gather existing project guidelines and best practices in one central place, and identify gaps that may be addressed in parallel or future task forces.

Task Force expected output

The expected output is a centrally located concise reference document to make project maintainers and contributors aware of the universe of project related guidelines and best practices, along with links to the various resources available to them for further learning and adoption.  Follow-on targeted task forces may be proposed.

NOTE: This wiki page is intended for initial brainstorming and collaboration. Eventually the task force output will be published at

Proposed project best practices (with links to existing content, related task forces, etc)

Maintainers guidelines includes guidance and examples around:

  • defining active and emeritus maintainers

  • Maintainer responsibilities

  • Becoming a maintainer

  • Removing a maintainer, see also inactivity policy

  • TODO - Clarify maintainer roles and responsibilities, e.g. prioritize pull request reviews (Stephen)

Common Repository Structure includes guidance around required and recommended repository files such as:

  • Required







    • CI files
  • Recommended
    • NOTICE

    • License headers on all source files

    • Build files

    • Test files

Inclusive naming includes guidance around:

  • Switching 'master' to 'main' branch

  • Inclusive naming conventions

  • Inclusive language statement

  • Optionally use GitHub Action DCI-Lint

Project Incubation Exit Criteria includes high level guidance applicable to any Incubation or Graduated project:

  • Legal - Apache 2 license

  • Community support - Active and diverse contributors, plus see Community section below

  • Test coverage - Automated unit and integration test suites

  • Documentation - plus see Documentation section below

  • Infrastructure - plus see Common Repository Structure and Community sections

  • Security - plus see Security section below

  • OpenSSF Best Practices Badge -

  • NOTE - As the TOC comes to consensus on more best practices, we could add those to Project Incubation Exit Criteria.

Project Governance


Security - see also 2022 security task force

  • Provide named security contacts per project (at least two contacts)

  • Define security issue reporting process in with reference to Hyperledger reporting process

  • Review, respond, and act on reported security vulnerabilities
  • Follow security issue disclosure process - see Disclosure task force

  • Leverage automated scans, tooling depends on language but usually includes some combination of:

    • linters

    • Software Composition Analysis dependency scans, e.g. Dependabot, Govulncheck 

    • Static Application Security Testing (SAST) aka static analysis scans, e.g. CodeQL, Snyk

  • Pin dependencies and keep dependencies up to date,  e.g. using Dependabot, although be wary of auto-upgrades and look for malware.

  • Engage with Hyperledger staff on possibility of security audits for Graduated project major releases, address audit results and socialize

  • Review OpenSSF secure developer guide and OpenSSF overview presentation to TOC (charts, replay)

  • Review and obtain OpenSSF Best Practices Badge - criteria

  • Sign release artifacts (TBD) - see proposed Security Artifact Signing task force

Documentation - see also Documentation task force and Onboarding task force

  • User guide including Getting Started / Tutorial

  • Project developer guide including coding guidelines, build instructions, test instructions

  • Application developer guide

  • Recommended documentation platform?

Project management

  • Maintain a written project roadmap
  • Create, clarify, and label issues in Github for contributors
  • Review, triage, comment on, and close Github issues


  • Follow an established Release taxonomy - either SemVer or CalVer

  • Document release strategy, release process, branch strategy (one branch per major.minor release works well so that it can be maintained in isolation with major.minor.patch releases)

  • Document Long-term support (LTS) release strategy - example

  • Use Github actions to automate release process, e.g. publish artifacts and release notes upon drafting a GitHub release
  • Release artifacts - attached to GitHub release, docker images in GitHub Packages versus Dockerhub?

Continuous Integration (CI)

  • GitHub Actions is the recommended CI platform

  • Pull request checks

    • DCO

    • Unit tests

    • Integration tests

    • Scans - see Security section, more comprehensive scans can be run nightly instead
  • Test coverage reporting - run on-demand or nightly

  • Keep CI clean and green at all times, address failures and flakes
  • See proposed Automated Pipelines task force

GitHub suggestions

  • Define repository settings in .github/settings.yml so that they can be managed and tracked via pull requests

  • Use recommended repository settings as a starting point, e.g. Repository options, Branch protection rules (TBD by TOC and Hyperledger staff)

  • Rebase merging is preferred over Merge commits and Squash merging to keep commit history clean (assuming contributors squash/amend their own pull requests) - opinion or best practice?

  • Although there are often multiple paths to achieve an outcome in git and GitHub, there is value in defining a suggested path, both for the benefit of new GitHub users, and for the sake of project consistency.

  • No labels


  1. very thorough list already David Enyeart

    Under Community, besides public meetings, we can list other channels and resources the foundation provides, and encourage projects to utilize:

    • workshops
    • Hyperledger meetup groups
    • I'm sure there are more venues to help engage with the community

    1. Thanks, added above!

  2. Very comprehensive, David Enyeart !

    On the question of where to publish Docker images, I'd suggest a default recommendation (if not a mandate) to publish them to GitHub packages as that would probably reduce maintenance overhead for users tapped into the GitHub ecosystem. Project maintainers can additionally publish to Dockerhub if they wish (and their client/user pipelines require it).

    I'm not sure what the full scope of this task force is. "Project best practices" could easily encompass everything, including onboarding and documentation, which have their separate task forces. I'm guessing it's the following two things: (1) repository maintenance, and (2) engagement with the community of developers and users. Should development and triage modes also be within the scope of the recommenations? Like how "agile" the development should be, whether there should be scrum (or at least triage) calls, etc.? Or perhaps these should be project-specific (just thinking out loud): how a mature project like, say, Fabric operates may not be appropriate to a newly incubated project.

    Commercial software development teams typically maintain different versions of their projects: minimally two (dev/test and production) and often three (intermediate stage for scalability, security, etc. testing). Should we consider making recommendations for this?

    1. Concerning scope, it is indeed meant to be all encompassing. That being said, it is meant to be a very high level view only, with references to other content and other task forces where applicable.

      Some high level operational guidance to projects makes sense, we've added a bullet to consider spawning a task force for that.

      Concerning docker image repository, makes sense to encourage GitHub Packages, although some projects with existing dockerhub images will have to consider how to evolve while minimizing impact to existing users.

      Concerning different versions, this is typically done using release branches (e.g. Fabric has a main branch, release-2.5 branch, etc). We'll discuss in more depth when we get to the Releases section...let me know if I've misunderstood the question though.

      1. Regarding versions, I agree. The Fabric method of release branches works as a good practice, and I think most mature repos (at least the ones that have active dependencies) follow it, so we should specify that in the guidelines.

  3. Perhaps common "contributing" content can be aggregated so that each project doesn't have to re-invent and re-document.

    I like this. In the documentation task force document template, I copied the Sawtooth one, but there may be good stuff in the other contributing documents that should be included. There are also pages there on reporting a bug, requesting a change, and asking a question.

  4. For the security topic, we might also want to include a link to the presentation that Arnaud did on OpenSSF and the recording to that meeting.

  5. For the documentation section, I have created a documentation template that might be useful. Planning on running this through the documentation task force. Also, the Hyperledger Staff is recommending Material for MkDocs published to GitHub pages as the recommended platform.

    1. Cool, I'll await doc task force outputs and link to that.

  6. David Enyeart – Apologies that I had to drop from the recent TOC call right when the topic of meetups and workshops for the Best Practices TF was being discussed.  I've added some more details about meetups and workshops and information about how maintainers can reach out about setting them up.  I also added a couple other thoughts for maintainers to consider related to finding more contributors and users.

  7. This is great to see the information getting added here – this is a very thorough guide to support projects and labs.  We had briefly started on something like this a couple of years ago but didn't get very far.  There may be some material there worth reusing though, so feel free to copy anything that seems relevant from the draft Maintainer's Guide.