Skip to content

Commit 23d2fb1

Browse files
committed
docs: add MAINTAINERS guide
Document the conventions maintainers follow, so the practices we have relied on tacitly are written down and discoverable. Covers the "WordPressCS follows, it does not lead" principle for judging feature requests, moderation rules (never delete, hide with reason), PR review and merge expectations, branch handling, Dependabot triage, the release outline, and cross-repo and upstream relationships.
1 parent 4d11dbc commit 23d2fb1

1 file changed

Lines changed: 95 additions & 0 deletions

File tree

MAINTAINERS.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# Maintaining the WordPress Coding Standards
2+
3+
This document describes the conventions maintainers of the WordPress Coding Standards (WordPressCS) follow when triaging issues, reviewing pull requests, and releasing new versions. It is aimed at maintainers and at contributors who want to understand how decisions are made.
4+
5+
If you are looking to contribute a patch or a new sniff, start with [CONTRIBUTING](.github/CONTRIBUTING.md) instead.
6+
7+
## Scope and philosophy: WordPressCS follows, it does not lead
8+
9+
This is the single most important principle for judging feature requests, and it is worth understanding in full.
10+
11+
WordPressCS is the *sniff implementation* of the [WordPress PHP coding standards as documented in the developer handbook](https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/). For anything that concerns WordPress Core, WordPressCS does not get to decide what "correct" code looks like; it encodes a decision that has already been made and written down in the handbook.
12+
13+
In practice this means:
14+
15+
- **A change to the handbook must come first.** If someone wants WordPressCS to enforce (or stop enforcing) a particular convention, the convention needs to exist in the handbook before the sniff can change. WordPressCS should not invent or pre-empt standards.
16+
- **Non-trivial changes need community buy-in.** For anything beyond a trivial clarification, that typically means a post on [Make Core](https://make.wordpress.org/core/) to gather consensus. Be realistic about this: it only takes a single Core committer to disagree for a proposed change to be blocked, and that does happen.
17+
- **Review feature requests through this lens.** When triaging a feature request, the first question is rarely "is this a good idea?" but "is this already in the handbook, and if not, where is the discussion that would put it there?"
18+
19+
There is a tension here. The handbook says the standards are meant for the whole WordPress community and not only Core, which in theory makes Core just one consumer among tens of thousands of projects. That argument has never worked in practice. A rule that Core itself does not follow looks odd, so proposals get judged against Core anyway. Core does still keep some exceptions of its own, and not only for bundled third-party packages, but do not count on the "just one consumer" point to unblock a change.
20+
21+
## Code of conduct and moderation
22+
23+
- Follow and uphold the [WordPress Code of Conduct](https://github.com/WordPress/.github/blob/trunk/CODE_OF_CONDUCT.md).
24+
- **Never delete a comment, issue or pull request.** This is a WordPress-organization-wide rule. If a comment needs to be removed from view, hide it with an appropriate reason rather than deleting it, so the record is preserved.
25+
26+
## Reviewing and merging pull requests
27+
28+
### Do not merge your own pull requests
29+
30+
As a rule of thumb, never merge your own PR. There are two exceptions:
31+
32+
1. **Release PRs**, which still need approvals but are merged on a planned date by whoever is running the release.
33+
2. **PRs that change a workflow.** Making the workflow change early would block other PRs, so the change should only be made *after* the PR has the required approvals and *just before* it is merged.
34+
35+
### How many approvals a PR needs
36+
37+
- **Trivial PRs** — for example Dependabot PRs where CI passes and no further changes are needed — need approval from **one** maintainer and can then be merged straight away.
38+
- **All other PRs** need approval from **two** maintainers, with the **second** maintainer doing the merge. The merging maintainer is also responsible for deciding whether the PR needs a squash-merge or not.
39+
- If the first approval has been given and the PR is then **changed significantly** (for instance, in response to the second maintainer's review), it needs a fresh review from either the first reviewer or another maintainer.
40+
- **When in doubt about a PR, do not merge.** Ping another maintainer for an extra pair of eyes.
41+
42+
### Labels, milestones and related tickets
43+
44+
Either of the two approvers must:
45+
46+
- verify that the **labels** and **milestone** are set and correct, and
47+
- check that any **related tickets** will be closed by the PR, and give those tickets the milestone too.
48+
49+
### External PRs
50+
51+
For PRs from external contributors, **always favor the original poster (OP) making the changes** over a maintainer making them. Editing an external contributor's PR yourself should be rare, and only done when the PR is effectively abandoned or the change is genuinely trivial (such as fixing a typo).
52+
53+
### AI-assisted contributions
54+
55+
> [!NOTE]
56+
> This reflects the direction set by open PR [#2735](https://github.com/WordPress/WordPress-Coding-Standards/pull/2735), which is not yet merged. Until it is, [CONTRIBUTING](.github/CONTRIBUTING.md) still carries the older, stricter wording. Reconcile this section once #2735 lands.
57+
58+
Contributors are free to use AI tooling, in line with the [WordPress AI Guidelines](https://make.wordpress.org/ai/handbook/ai-guidelines/). We ask only that they disclose what tooling they used and the extent to which a PR was authored by AI, and that they take responsibility for reviewing what the AI produced. When reviewing, do not reject a PR merely because AI was involved; judge it on its merits like any other, while holding the contributor to that disclosure and to the same quality bar. Direct any debate about the guidelines themselves to the AI team (via the [Make AI post](https://make.wordpress.org/ai/2026/02/01/ai-guidelines-for-wordpress/) or `#core-ai` on Slack), not to individual PR threads.
59+
60+
## Working with branches
61+
62+
- The branching model is documented in [CONTRIBUTING](.github/CONTRIBUTING.md#branches): ongoing development happens in `develop` and is merged to `main` once considered stable; feature branches are prefixed with `feature/`.
63+
- **If you have push access, push PR branches to the main repository, not to your fork.** This lets other maintainers check out your branch locally without adding an extra remote. Work-in-progress branches can, of course, still live on your own fork.
64+
- **For your own PR branches**, set the labels yourself, and set the milestone if it is clear-cut which release the change belongs in. When in doubt, leave the milestone open.
65+
66+
## Dependabot pull requests
67+
68+
Dependabot PRs are treated as trivial (one approval, then merge) when CI passes and no additional changes are needed. However:
69+
70+
- **Always check the changelog for the update.** Read it for two reasons:
71+
1. to see whether there is anything useful we could adopt in our own workflows, and
72+
2. to gauge the risk of the update before merging.
73+
74+
## Releases
75+
76+
The full release procedure is documented in [`.github/release-checklist.md`](.github/release-checklist.md), which is the template used for release PRs from `develop` to `main`. In outline:
77+
78+
- Releases go out as a PR from `develop` to `main`; the PR carries approvals but is merged on the planned release date by whoever is running the release.
79+
- Before release, dependency version ranges are reviewed, upstream releases (PHPCS, PHPCSUtils, PHPCSExtra) are checked for anything worth adopting, list-based sniffs and WP version properties are updated, every merged PR is confirmed to have a milestone, and the changelog is written.
80+
- After merging, tag and create a release against `main` (note that GitHub defaults the target to `develop`), close the milestone and open the next one, then fast-forward `develop` to equal `main`.
81+
- Afterwards, open a Trac ticket for WordPress Core, and publicize the release: a Make WordPress post for major releases, a note in the `#core` channel on the WordPress.org Slack (the `#core-coding-standard` channel receives an automated notification), and the optional marketing follow-ups listed in the checklist.
82+
83+
## Related repositories
84+
85+
Maintainers of the WordPressCS repository should also always be given commit/maintain access to the [`wpcs-docs`](https://github.com/WordPress/wpcs-docs) repository.
86+
87+
## Upstream dependencies
88+
89+
WordPressCS builds on, and coordinates closely with, several upstream projects maintained under the [PHPCSStandards](https://github.com/PHPCSStandards) organization:
90+
91+
- [PHP_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer)
92+
- [PHPCSUtils](https://github.com/PHPCSStandards/PHPCSUtils)
93+
- [PHPCSExtra](https://github.com/PHPCSStandards/PHPCSExtra)
94+
95+
Issues with sniffs whose names start with `Generic`, `PEAR`, `PSR1`, `PSR2`, `PSR12`, `Squiz` or `Zend` belong upstream in PHP_CodeSniffer; those starting with `Modernize`, `NormalizedArrays` or `Universal` belong in PHPCSExtra. See [CONTRIBUTING](.github/CONTRIBUTING.md#upstream-issues) for details.

0 commit comments

Comments
 (0)