Thank you for your interest in contributing! This project uses modern development workflows with automated quality gates and releases.
# Clone and setup (one command!)
git clone https://github.com/heysamtexas/django-allauth-require2fa.git
cd django-allauth-require2fa
make dev-setup
# Verify setup
make testThis project uses automated releases based on commit messages. Your commit messages determine if and how new versions are published to PyPI.
Use this format: <type>[optional scope]: <description>
Examples:
feat: add user authentication bypass option
fix: resolve URL resolution vulnerability
docs: update installation instructions
chore: update dependenciesYour commit type determines the release:
| Type | Version Bump | Example |
|---|---|---|
feat: |
Minor (1.0.0 → 1.1.0) | New features |
fix:, perf:, refactor: |
Patch (1.0.0 → 1.0.1) | Bug fixes, improvements |
docs:, chore:, ci: |
No release | Documentation, maintenance |
- feat: New feature
- fix: Bug fix
- docs: Documentation changes
- style: Code style (formatting, etc.)
- refactor: Code refactoring
- perf: Performance improvements
- test: Adding/updating tests
- build: Build system changes
- ci: CI/CD changes
- chore: Maintenance tasks
- revert: Revert previous commit
# Create feature branch (any name is fine)
git checkout -b feature/my-improvement
# Work freely - commit messages can be anything on branches
git commit -m "WIP: trying stuff"
git commit -m "broken but saving work"
git commit -m "fix: resolve the actual issue"# Full workflow (recommended)
make all # Install + quality + test
# Individual commands
make test # Run Django test suite
make quality # All quality checks
make format # Auto-format code
make lint # Check code style
make security # Security scan
make mypy # Type checking# When ready, create PR with conventional title
# PR title determines versioning (not individual commits)PR Title Examples:
feat: add runtime configuration for 2FA policiesfix: resolve path traversal vulnerability in URL matchingdocs: add comprehensive release documentation
This is a security-critical middleware. Extra care required for:
- Security review required for all middleware modifications
- Comprehensive testing - maintain the 15-test security suite
- Vulnerability analysis - consider attack vectors
- Backward compatibility - security fixes shouldn't break existing setups
# All tests must pass
make test
# Security tests are comprehensive
python -m django test require2fa.tests.SecurityRegressionTest
python -m django test require2fa.tests.ConfigurationSecurityTest- PR Merged to Master → Triggers automation
- Commit Analysis → Determines if release needed
- Quality Gates → Runs all tests and security checks
- Version Bump → Based on conventional commit type
- GitHub Release → Automatic with changelog
- PyPI Publishing → OIDC trusted publishing
- Documentation Update → Release notes with installation
- You don't manually create releases - automation handles everything
- PR titles matter - they determine version bumps
- Quality gates prevent bad releases - broken code never reaches PyPI
- Time to PyPI: ~5 minutes from merge to published package
# Preview what release would happen
uv run semantic-release version --print --no-commit --no-tag --no-push --no-vcs-release
# Manual trigger (if needed)
gh workflow run semantic-release.yml- Ruff formatting - Auto-formatted code (150x faster than black)
- Ruff linting - Style and best practice checks
- Bandit security - Security vulnerability scanning
- MyPy typing - Static type checking
- Pre-commit hooks - Automatic quality enforcement
- 15 security tests - Comprehensive security coverage
- URL resolution tests - Edge cases and malformed inputs
- Configuration tests - Dangerous Django settings protection
- Regression tests - Known vulnerability prevention
- Vulnerability scanning - Every release scanned
- OIDC publishing - No API keys, unhackable releases
- Audit logging - Security events logged
- Path traversal protection - Proper URL resolution
# Use the Makefile - it's optimized
make all # Instead of manual commands
# Run security tests frequently
make test
# Format before committing
make format- Be descriptive:
feat: add LDAP integrationvsfeat: add feature - Use lowercase:
fix: resolve bugnotFix: Resolve Bug - No period:
docs: update readmenotdocs: update readme. - Present tense:
addnotaddedoradds
- One feature per PR - easier to review and release
- Conventional title - determines versioning
- Clear description - explain the why, not just the what
- Security considerations - mention any security implications
- Middleware:
require2fa.middleware.Require2FAMiddleware - Models:
require2fa.models.TwoFactorConfig(Django-Solo singleton) - Admin: Runtime configuration interface
- Tests: 15 comprehensive security tests
- URL Resolution: Uses Django's
resolve()not string matching - Static File Detection: Automatic STATIC_URL/MEDIA_URL exemption
- Configuration Validation: Prevents dangerous Django settings
- Release Documentation: docs/releases.md
- Development Guide: docs/development.md
- Architecture Details: CLAUDE.md
- Conventional Commits: conventionalcommits.org
- Semantic Versioning: semver.org
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Email security issues privately
Remember: Your PR title determines the version bump! Use conventional commit format in PR titles even if individual commits on your branch are messy.