Flag for manual review design doc

platform/engineering/code_review_guidelines.md

@@ -15,7 +15,7 @@ Information on how VSP uses code owners can be found [here](code-owners.md).
 ## The pull request review lifecycle in brief
 
 1. For initial review by your project team, create a [Draft Pull Request](https://github.blog/2019-02-14-introducing-draft-pull-requests/)
-2. If your PR triggers any [additional automated checks](./manual-review-triggers), a bot will leave a comment and request a manual review from the **frontend-review-group**
+2. If your PR triggers any [additional automated checks](./manual-review-triggers.md), a bot will leave a comment and request a manual review from the **frontend-review-group**
     - the frontend-review-group completes reviews within one business day 
 3. When all review comments have been resolved, the PR can be merged into the master branch for deployment.
 

platform/engineering/design-docs/flag-for-manual-review.md → platform/engineering/flag-for-manual-review.md

@@ -30,6 +30,8 @@ From the perspective of a VFS engineer, the current review process involves:
 The final approval from the review group is often not helpful, and it slows the process down.
 This frustration often leads to VFS teams ignoring this process and they will directly ask for a VSP review before their PR is ready.
 
+These problems have led to an effort to shift some review responsibility away from the frontend-review-group by implementing [code owners changes](./codeowners.md).
+
 ### High Level Design
 
 The plan is to use a CI process to run a script each time a change gets pushed to a PR.
@@ -39,24 +41,40 @@ This script will look for anything that should trigger a manual review by the VS
 
 ### Detailed Design
 
-We will use a script that can be run from a job in CircleCI.
+We will use a nodeJS script that can be run from a job in CircleCI.
+Any Github API calls will be made through the [Octokit](https://octokit.github.io/rest.js) package which uses a RESTful API.
+
 The script will:
 
 - Diff the current PR branch against master
-- Make a pass which will mark any additions with the filename and position in the diff
+  - `octokit.pulls.get(...)` will be used with a [custom media type](https://developer.github.com/v3/pulls/#custom-media-types) format of `diff`
+- Loop through the diff output and mark any additions with the filename and position in the diff
 - Search the processed diff for occurrences of anything that should warrant a manual review
+  - This can be done with a regular expression
 - Remove any items from the list of offense additions that have already been commented on by the review bot
+  - This is a two step process:
+    - Use `octokit.paginate()` to get a list of all comments on a PR and filter out comments that are outdated or weren't made by the bot
+    - Filter out any additions from the processed & filtered diff if there is already a current bot comment on it
 - If there are any offenses which haven't been commented on, leave a comment and request a review from the *frontend-review-group*
+  - Use `octokit.pulls.createReviewRequest()` to request a review from the frontent-review-group
+  - Use `octokit.pulls.createReview()` to leave a bot review with a comment on any addition that matched the pattern which hasn't been commented on
 
-This will rely on the Github API as well as some environment variables provided by Circle CI.
+Various environment variables will be used in order to allow the script to be easily configurable from CircleCI - see [Debugging](#debugging) for more information.
 
 ### Code Location
 
+This code will live in the [vets-website repo](https://github.com/department-of-veterans-affairs/vets-website) in the following directories:
+
 - `script/pr-check.js`
+  - The script responsible for performing the automated checks & leaving comments
 - `.circleci/config.yml`
+  - Responsible for adding jobs and assigning appropriate environment variables
 
 ### Testing Plan
-I will run the script locally in addition to having Circle run it.
+
+There are no automated tests planned for the initial release - all testing will be manual.
+Once this process is released and teams provide feedback we will iterate and add unit tests.
+The script will be written in a way that should make it easier to test.
 
 ### Logging
 The script will log to the console:
@@ -67,7 +85,7 @@ The script will log to the console:
 
 ### Debugging
 
-If a user sets up the proper environment variables locally, the script can be run in a local environment and the logging output can be viewed.  Otherwise we will rely on viewing CircleCI logs.
+If a user sets up the [proper environment variables](./manual-review-triggers.md#required-environment-variables) locally, the script can be run in a local environment and the logging output can be viewed.  Otherwise we will rely on viewing CircleCI logs.
 
 ### Caveats
 
@@ -76,7 +94,11 @@ No other context is included.
 
 ### Security Concerns
 
-We should make sure that the Github bot auth token is kept secure and it should not be associated with an individual's account.  The sole communicators in the system are CircleCI and Github.  This isn't really a security concern, but more of a reliability one: if one of those services goes down we do not have a fallback plan.
+We should make sure that the Github bot auth token is kept secure and it should not be associated with an individual's account.
+The current strategy for storing this token is as an [environment variable in CircleCI](https://ui.circleci.com/settings/project/github/department-of-veterans-affairs/vets-website/environment-variables) called `GITHUB_TOKEN`.
+If it has to be reset for any reason it should be either updated directly in CircleCI or transmitted securely using keybase or 1Password to someone who has permission to update the environment variable.
+
+The sole communicators in the system are CircleCI and Github.  This isn't really a security concern, but more of a reliability one: if one of those services goes down we do not have a fallback plan.
 
 ### Privacy Concerns
 
@@ -86,7 +108,17 @@ None.  This will be static code analysis of a public repo.  No user data will be
 
 With this planned implementation we don't have a way of forcing a VFS team to wait for a manual review - all we do is _ask_ them to wait.  It's possible that some teams won't respect this request and will merge a PR that has code that requries a manual review.
 
-It is difficult to estimate the liklihood of this risk.  These changes will be communicated to the teams, and if they disregard the process then we will be forced to implement stricter rules.  Here are some possible actions we could take, either by themselves or in combination:
+It is difficult to estimate the liklihood of this risk.  In order to discover when VFS teams are ignoring the manual review requests, we can perform [a Github Search](https://github.com/department-of-veterans-affairs/vets-website/pulls?q=is%3Apr+commenter%3Ava-vfs-bot+is%3Amerged+) with some special parameters:
+
+> `is:pr commenter:va-vfs-bot is:merged`
+
+This will show us any merged PRs that the `va-vfs-bot` has commented on, and from there we can look at each PR to see if a review was left by the frontend-review-group before it was merged.
+To help with the search we can also add a date parameter if we only want to look at PRs merged after a certain date:
+
+> `merged:>=YYYY-MM-DD`
+
+If we discover that teams are disregarding the manual review requests then we will implement stricter rules.
+Here are some possible actions we could take, either by themselves or in combination:
 
 - Have the bot leave a review that "requests changes" rather than a simple comment.
 - If the script leaves a comment for manual review, have the process exit with a failing status and make it block the build.

platform/engineering/manual-review-triggers.md

@@ -14,17 +14,43 @@ Any of the following items if found in a PR diff will prompt a manual review
 
 ### Sentry calls
 
-We want to ensure that anything logged to Sentry will be useful (don't log an entire request response if all we care
-about is an error code) and will not contain PII.
+We review logs to Sentry to ensure that any new logs will be useful and will not contain PII.
+
+Examples:
+- Don't log an entire request response if all that's important is an error code
+- Don't log user-identifying information such as names, emails, or user IDs
 
 ### Disabling ESLint
 
 We have various ESLint rules in place to help improve code quality.
-There are situations where it makes sense to disable certain rules, but those will have 
-to be evaluated on a case-by-case basis.
+Disabling eslint rules will be evaluated on a case-by-case basis.
 
 ### Adding icons
 
-We use fontawesome as a dependency which encourages icons to be added with the `<i>` tag.
-Sometimes an icon is used purely as decoration, but other times it is used to convey meaning to the user.
-We want to ensure that if an icon is being used semantically, those semantics are also conveyed to a screen reader.
+We use Font Awesome as a dependency, which uses the `<i>` tag for adding icons. Sometimes an icon is used purely as decoration, but other times it is used to convey meaning to the user.
+
+We review to ensure that whenever an icon is being used semantically, those semantics are also conveyed to a screen reader.
+
+
+## Required Environment variables
+
+The script relies on some environment variables.
+
+### Provided by Circle by default
+-  `CIRCLE_PROJECT_REPONAME`
+-  `CIRCLE_PROJECT_USERNAME`
+-  `CIRCLE_PULL_REQUEST` (link to the PR -used to get PR number)
+
+### Configured in the Circle UI
+- `BOT_NAME`
+  - This isn't sensitive, but it made sense to pair it with the auth token
+- `GITHUB_TOKEN`
+  - An Oauth token used to make calls to the Github API
+
+### YAML config
+- `CODE_PATTERN`
+  - Regex pattern which will trigger a review comment if found
+- `LINE_COMMENT`
+  - Review comment for an individual line comment
+- `OVERALL_REVIEW_COMMENT`
+  - Review comment for the whole review