Skip to main content

Contributing Guide

Welcome! We are glad that you want to contribute to the ORAS project! 💖

As you get started, you are in the best position to give us feedback on areas of our project that we need help with, including:

  • Problems found during setting up a new developer environment
  • Gaps in our Quickstart Guide or documentation
  • Bugs in our automation scripts

If anything doesn't make sense, or doesn't work when you run it, please open a bug report and let us know!

Ways to Contribute

We welcome many types of contributions including:

  • New features
  • New end-to-end tests
  • Bug fixes
  • Documentation
  • Issue triage
  • Answering questions on our Slack channel
  • Web design

Not everything happens through a GitHub pull request. Please join our meetings or contact us and let's discuss how we can work together.

Join our Meetings

Absolutely everyone is welcome to come to any of our meetings. You never need an invitation to join us. In fact, we want you to join us, even if you don’t have anything you feel like you want to contribute. Just being there is enough!

Join the bi-weekly ORAS community meeting at 4:00 PM PST on Zoom with ID 807 932 8631. See the meeting notes for agenda and past meeting notes.

You don’t have to turn on your video. The first time you come, introducing yourself is more than enough. Over time, we hope that you feel comfortable voicing your opinions, giving feedback on others’ ideas, and even sharing your own ideas, and experiences.

Contact Us

Other than pull requests and GitHub issues, the best way to contact us is to join us at the CNCF Slack under the #oras channel. You can find the steps in the community resources.

Find an Issue

Each ORAS subproject has a label good-first-issue for issues that are appropriate for new contributors. Each ORAS subproject has a label help-wanted for issues suitable for someone who is ready to move onto after their first pull request. For example, for the ORAS CLI project:

Sometimes there won’t be any issues with these labels. That’s ok! There is likely still something for you to work on. If you want to contribute, but you don’t know where to start or can't find a suitable issue, you can ask in the ORAS Slack channel.

Once you see an issue that you'd like to work on, please post a comment saying that you want to work on it. Something like "I want to work on this" is fine.

Pull Request Lifecycle

Please remember that most contributors and maintainers of the project have responsibilities outside this project and will review your pull request as time allows. In general:

  • If you have a pull request for a security vulnerability, please contact the maintainers directly before making your pull request public.
  • Feature enhancement pull requests will likely take a week or more to get reviewed.
  • Pull requests will be reviewed by at least two maintainers before being merged.
  • If you are submitting a pull request that is a work in progress, mark it as a draft.
  • If you have a pull request that is an urgent fix or effects the project widely, bring it up in the Slack channel.
  • More details on the review process.

Development Environment Setup

The ORAS project contains several subprojects which use different build, test and deployment methods. It is best to consult the project specific README.md for development environment setup instructions. The first step for contribution for any subproject would be to fork the repository on GitHub and then clone it locally. For example:

MY_GITHUB_NAME="my-name"
git clone git@github.com:${MY_GITHUB_NAME}/oras.git
cd oras
cat README.md

For documentation

The recommendation is to follow semantic line breaks.

Sign Your Commits

All contributors to the project retain copyright to their work. However, to ensure that they are only submitting work that they have rights to, we require everyone to acknowledge this by signing their work. Any copyright notices in this repo should specify the authors as "The ORAS Authors".

Licensing is important to open source projects. It provides some assurances that the software will continue to be available based under the terms that the author(s) desired. We require that contributors sign off on commits submitted to our project's repositories. The Developer Certificate of Origin (DCO) is a way to certify that you wrote and have the right to contribute the code you are submitting to the project.

You sign-off by adding the following to your commit messages. Your sign-off must match the git user and email associated with the commit.

    This is my commit message

    Signed-off-by: Your Name <your.name@example.com>

Git has a -s command line option to do this automatically:

git commit -s -m 'This is my commit message'

If you forgot to do this and have not yet pushed your changes to the remote repository, you can amend your commit with the sign-off by running

git commit --amend -s

Pull Request Checklist

When you submit your pull request, make sure the title follows the conventional commits specification. There is a formal review process followed by contributors and maintainers.

When you submit your pull request, or you push new commits to it, our automated systems will run some checks on your new code. We require that your pull request passes these checks, but we also have more criteria than just that before we can accept and merge it. We recommend that you check the following things locally before you submit your code:

  • Does the affected code have corresponding tests, e.g. unit test, E2E test?
  • Does this change require a documentation update?
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have an appropriate license header?

We are a Cloud Native Computing Foundation Sandbox Project.

Docusaurus themed imageDocusaurus themed image