Code Reviews: Giving and Receiving Feedback

Show Notes

Disclaimer: The episode on Creating Pull Requests got lost so Episode 6 ended up being our Build vs Buy episode. 

Upcoming Conferences Of Note
Other Tips for giving a nice PR review
Remember the person on the other end of your review is a human. As devs it’s easy to mix our identity with the code we write and any criticism of that code can be challenging to absorb.
  • Timeliness 
    • Respond quickly if you are a reviewer
    • This can be especially challenging when dealing with major differences in timezone
  • Checklists 
    • Does this code belong somewhere else?
    • Is this code tested?
    • Do I understand this code? 
      • PRs can be a way to do knowledge transfer to other folks on the team
    • Are there any glaring security concerns?
    • Should someone else also review this change?
    • What might go wrong when this is deployed? 
      • Is there observability in place?
      • Is there a large migration that needs special treatment?
  • Other things: 
    • I try to group all of my replies into one big response rather than lots of individual comments, that way the
Tools Mentioned

Full Transcripts
Colin: Welcome to Build and Learn.

My name is Colin.

CJ: And I'm CJ, and today we're
talking about reviewing poll requests.

If you recall, a couple episodes ago we
talked about authoring prs, but today

we're talking about the other side of
the puzzle, which is reviewing them.

Before we get into that, we wanted to
just talk about some upcoming conferences

and I'm, I'm really jealous because there
is this really epic conference that's

coming up that I really wanted to go to.

And Colin is , Colin is headed there.

That is Rails SaaS.

So yeah, like what is Rails
SaaS and when is it happening?

Colin: Yeah, so let me
just pull it up here.

So it's October six and seven.

I think this is gonna be a
little interesting to see

when this episode comes out.

Rails SaaS may have already happened
when this episode comes out.

But we've got a lot of really cool
speakers that are talking about the

intersection of rails and business.

So you've got some folks who are building
SaaS businesses on top of rails, like

literally, like things like GoRails.

Hatch box hammer, or they're
building and releasing gems and things

as, as a, you know, as a business.

And then I imagine that there's
gonna be a little bit of you know,

kind of like the stuff that you
see with that Saastr conference.

There's a lot of just, you
know, the business side of

rails, which I'm excited to.

CJ: Cool.


So SaaS, if you're not familiar,
is software as a service.

This is typically like a
subscription based thing.

We all know these and love them.


own one and like loathe them if you have
a bunch of subscription payments that

are hitting your wallet every month.

But yeah, so I, yeah, SaaS in
general is something obviously

that I'm like pretty excited about.

And yeah, I've been working on some
content for Stripe teaching people how

to collect recurring payments and how to.

Build a SaaS basically with Rails.

And that's why I'm like super bummed.

I'm gonna get, I'm gonna miss this,
but we'll be on a family vacation that

we planned a super long time ago, even
before the conference was announced.

So yeah, but I'll be missing all,
all my all my homies that are gonna

be in, it's in, is it in Hollywood
or it's just in LA somewhere.

Colin: It's in Hollywood and
it's it's organized by Andrew

Culver from Bullet Train.

So they have like a, they kind of bill
it as the Ruby on Rails SaaS template.

CJ: Hmm.

Colin: so they give you kind of an
out of the box framework for building

SaaS companies on top of Rails.

So very cool to see like a thematic
conference like this instead of just

focused on, you know, the language
and the tooling and the processes.

It's gonna be talking about like,
how do you use this to be super

productive in building a business?


Cause building and building something
that people want and are willing

to pull out their credit card.

And, you know I guess Stripe would
be very relevant here because of how

many subscriptions and, and things
are built on top of Stripe and Rails.

CJ: Yeah, and I think, yeah, in
Andrew's bullet train part of the I

think it's like the pro version or
something you can install like a.

A few Stripe tools that will
set up routes for you and a

few other a few other things.

I haven't actually bought the paid version
of Bullet Train to test it out, but it's

my understanding that you get a lot of
features outta the box with that sort of

like plug into the bullet train starter.


Colin: Cool.

And what other conferences are
coming up that you are able to make?

CJ: Yeah, so I I submitted to
speak at Ruby Comp this year.

I put in two talks.

I have not heard back yet.

We'll see by, definitely by the time
this episode airs you, I will know

whether or not those were accepted . But
yeah, Ruby Comp is in end of November.

It's in Houston, Texas.

Excited about that.

Excited to see all my Ruby friends.

Are you going to Ruby Conf this?

Colin: I was not planning on it.

I have not really looked
at November yet, but.

CJ: Okay.


And then another one that's happening
in November is Chirp, which is

the Twitter Developer Conference.

I think this is the first time
they're having it in many, many years.

So this is gonna be in San Francisco.

It's a one day conference.

So yeah, that

should be, it should be pretty fun.

Colin: That one.

I'm definitely gonna make it down for.

I, they claimed it was the first chirp
in 10 years, but I did see that there was

like a conference in 2015 that they held.

This one.

I'm really excited to kind of see how
and what they've learned from, because

Twitter has a history of kind of letting
down developers in the past, and so I

think they've realized like they've got a
repair their relationship with developers

and we'll see how that goes with Chirp and
I'm hoping for a lot of new API features.

We are using the Twitter API more
and more at Orbit, and there's some

stuff that's like very lacking in the
API that are obvious things, so I'm

excited to see that they're reinvesting
in in that relationship and the api.

CJ: Yeah, so they shipped
in API V two recently.

And as part of that, they
have like a whole new OAuth 2.


So yeah, I've been playing around with
the new APIs quite a bit and yeah,

there's a few things that I would
love to see, like way better webhook

support or webhook support at all.

There's like no way to get the
email address of the person.

There's like, yeah, a bunch of like
little things where I'm like, Oh


Like, Huh,

Colin: that we should, we

CJ: I know.


We could dig,

we could dig into.

Colin: API audit.

CJ: Yeah I, I've been using it a lot
lately too, just for like fun little side

project things and yeah, I think they've
definitely turned a corner in terms

of listening to the developer audience
and building, starting to build towards

like what the, what the audience needs.

So yeah, excited to

go check it out and see

how things go.

Colin: to do it.

A little audit of, of various APIs.

Especially like for us, we, we
added a feature that we're working

on an orbit, a little preview here
of like being able to send dms.

CJ: Ooh, Nice.

Colin: us permission to
everything in order to send a dm.

CJ: I bet.


Colin: was like, Why is this not just one?

Like scope.

CJ: Yeah.

Colin: have to have, I could do anything
I want on your Twitter account, which,

you know, we don't, we only send dms
and there's only code to send the dms.

So it's not like we can accidentally
do anything on your account.

But it's, it is that scary oauth
screen of like, you're allowing Orbit

to have access to all this stuff.

And so

CJ: Yeah, I think, yeah, I, I would
love to do episodes about that, just

like look at an API and do like a
breakdown of the DX and so yeah,

that would be, that would be fun.

I think.

Yeah, there's probably a bunch of APIs
too that we're both using just for fun.

Like for fun and profit, right?

Like on the side , like YouTube api,
Twitter api Orbit API or  Stripe api.

So yeah, it'd be, it'd be
cool to go through All that.

Colin: So I guess in building those
APIs, you're gonna have a whole lot

of PRs in your team, and hopefully
there's small reviewable prs like we

talked about on build and,
if you wanna check out that episode.

But today we're gonna dive into
that other side of the fence

where you've submitted your pr.

And you're waiting for someone to
review it, that person's gonna pop

into GitHub or GitLab or Bitbucket.

And now you have this little bit
of science, a little bit of art,

of reviewing someone else's code
and giving constructive feedback.

Making sure that you kind of match
the, the rest of the style of

the code base, things like that,
especially for newer developers.

So yeah, we can kind of dig in.


A link to a pretty thorough tip
like list of tips from thought Bot,

but that we can kind of review.

But I think it'd be great to kind of hear
like what you first look for when you,

you know, once you get that notification
that it's time to review something.

CJ: Yeah.

So first and foremost, something that I
think is important is responding quickly.

Like trying to like actually.

Look at, if someone opens a pr,
try to unblock them and respond to

their pr because the longer that
you wait, the longer that it's gonna

take them to like ship their thing.

So yeah, jumping in quick and giving
them some feedback or at least telling

them like, Hey, I'm really swamped.

This is gonna take me 24 hours
or something to get back to you.

Yeah, so that's kind of just
like a, a preface, preface thing.

But another thing that I tend
to look for is any instructions

in the description of the pr.

Like, do they have pointers
for what they're looking for?

Do they have requests for
reviewing specific files?

And, you know, oftentimes the description
will say something like, Oh, a lot

of this was auto generated, but can
you please look at file X to you?

You know, make sure that there's a
really good thorough review of security

on, on this like section of whatever.

So yeah, looking at the description and
yeah, being timely in your reply, I guess

is like the first thing I would say.

Colin: Do you guys have like a how to test
section of prs, like in your template?

CJ: We do.


So we, it's actually not how to
test, it's how it was tested.

So we ask people Yeah.

Like to, you know, outline exactly
how you tested it, and that could be,

I wrote a bunch of automated tests,
or if it's a change to like a docs

page, it could be like, here are
the screenshots of the changes that

I made, and also here's a link to.

The staging server, where
the docs are or whatever.


Colin: Cause along the lines of
not blocking them, like some of our

PRs require, like as a tester, like
we know that the other person who

wrote it has already gone through
those steps, like you mentioned.

But I do like to like then
run them on my machine, Right.

Or run them on testing, like a
staging or integration server.

But for some of those, you know,
hopefully they're small reviewable

prs, but some of 'em you have to like
do a little bit of world building or.

A script that creates all of
the, the scenario that, that

you need to test this thing in.

And sometimes there's like a bug or
something that's hard to replicate.

And so relying on tests is
sometimes all you can do.

But you know, for us, we do like
to, especially with integrations, we

want to test them on another machine
so that it's like, hey, like some

environment variable didn't make
it into the encrypted credentials.

Something like just about their machine
or their setup is just not quite the same.

With integrations, we end up using
things like ngrok and relying on web

hooks and stuff like that a lot too.

So like making sure that it's like,
Hey, yeah, I caught a web hook

but it didn't hit the right path
on my machine for some reason.

Or just like some sort of
environmental kind of ruling

out environmental differences.

which for some companies, if
you're running in like Docker or

something, those may not even be.

We run pretty bare rails
on, you know, Mac, so,

CJ: Got it.


I was gonna ask, so our, our development
environment is actually like external

boxes that live inside of aws.

And then also once we push
a pr it will spin up staging

environments just with that PR so
that you can link to it from the.

From the PR itself.

And the nice thing about that is
that the environment inside of

AWS when you're building and when
you're in staging and when you're in

production is all the same, right?

Like, it's gonna be on the same boxes,
the same tools, the same like everything.

So that is like, I don't know, it's,
it's, I would say it's a nice experience.

But it's also like super challenging.

. There's a lot of like DevOps overhead
stuff to get that set up on a team.


Colin: review apps on Heroku for that.

So we get a little bit of that out
of the box without having to have a

whole DevOps team build that for us.

So we do that when it's necessary.

Some changes, like again, docs changes.

We don't need to spin up
a review app for that,

CJ: Mm.

Colin: like read me updates
and stuff like that.

Those are fine.

We can review them for
accuracy and stuff like that.

But yeah, I think that's a, that's
a pretty good process to get.

CJ: So going, going back to timeliness,
I assume that your team is so globally

distributed, that sometimes your
reviewer will be, you know, 12 hours

difference in terms of time zones.

Is that the case or are you mostly
kind of like working with people

that are closer to your time zone?

Colin: Yeah, this is something
that's kind of interesting for us.

We do tend to have, like when I, my old
team, I was the only person in the US and.

It would be this thing where like by the
end of my day I try to review any open

prs for Europe so that they're waking up
to a reviewed pr, that then they can, you

know, either make changes or merge and
then on their end, you know, I, on my end

I'm trying to get mine, my code done so
that when they also wake up, they have a

PR for me that they can take a look at.

And sometimes there might be this back and
forth conversation around, Maybe it's a

draft PR with questions because it might
be a newer area of the code base for me.

And so I do have to kind
of think about that.

It really forces me that
time box might work too.

It's like if I don't get to the thing
I'm hoping to today, then I'm not

gonna have the PR open and ready for
review by the beginning of their day,

which means now we're gonna have a
whole nother 24 hour cycle of that.

CJ: right?

I is there Is there like a, an
hour or two where you have overlap

and you can kind of like talk live


Colin: Yeah.

We've got.

In my morning.

I have someone in, in Israel
that I, we actually have a lot

of overlap during the day because
she works really late at night.

And so she kind of has a
different setup of her day.

And so we do get that and like, we just
restructured our team, so we do have more

people in different, like I have more
US folks on my team now, so you know,

that's gonna change a little bit as well.

So, you know, once we do that,
It's nice to have those comments.

I've noticed that, especially because
it's a little bit async, someone might

open a pr and then I guess this is on
the more of the creating the PR side

of it, but they'll preempt the review
by going into the, like the filed diff

CJ: Mm-hmm.

Colin: add their own comments.

So like calling out like, Hey, could you
specifically look at this thing that I

either had a struggle with or like, I
think this is the best way to do this.

You know, can you just
like do a gut check?

. You know, if there's any sort of things
that need to be specifically tested

from a security or like web hook and
like ingest type of thing, then they

might call that out Especially with
integrations, it's like you have to

do this world building again of, of
having the development integration.

So like, you know, maybe it's
developer Twitter account.

Connected to the developer
app versus the staging app.

Versus the production app.

So there's just a lot
of variables at play.

CJ: Mm-hmm.

. So when you're, when you're looking at
security stuff, In the back of your mind,

do you have or Yeah, I guess like in the
back of your mind, do you have certain

things that you look for when it comes to
security or just like generally thinking?

Colin: so if it's general web application
security things, you know, we trust that

the team, you know, can look at those
things and if, if it's not an area of

expertise, we can tag in somebody else.

If it's like something related to
like SOC2 or something like that,

then it might be someone who's.

Specifically like security engineered type
of person that would look at that stuff.

You know, and that's not just at orbit.

That would be like at past companies
where you have the luxury of having

somebody   who can specifically do that.

And then you also hopefully have some
of these like scanners and things too

that are running on your, on your.

PR and CI that are looking for
common vulnerabilities and things

like that in the code base as
well, like strong prams and things

like that come to mind for rails.

You know, CORS, stuff like
that, that that'll pop up.

CJ: Yeah, cross site scripting,
vulnerable, like I'm trying to

remember the name of it, but yeah,
there's a bunch of tools where you

can just say like, point this at
my app and like try to run all the

vulnerability scanning things on it.



Colin: like one of one of them
was called like Hound, I think.

CJ: Hound interesting.

Yeah, I think like looking, the one big
one that comes to mind is SQL injection

attacks, which really, if people are not
parameterizing or like not sanitizing user

input before they're passing them down
to sql, then you kind of get in trouble.

But yeah, I feel like the rail strong
params pattern has, you know, if

you kind of like stick to the, the
normal patterns, you're usually okay.

But I have seen a couple times where
maybe it's like a search endpoint and

you're writing a custom where clause
that has a bunch of likes and whatever.

If you're not passing like the right
parameterization, then it's easier to get

User input and pass that right down to SQL

Yeah, so, Okay.

Super cool.

What else we got here, I guess?

Colin: What about the
content of the code itself?

So like, let's say now it's
time to jump into the code.

What sorts of things, you know, when
we've talked about this in past episodes,

but like programming is so opinionated,
so how do you approach this when you

know someone spent a lot of their time.

On the code.

And I think as much as we like to
try to disconnect our ourselves from

it, it's something that we've spent a
lot of time on and, you know, by the

time it comes time to ask for review,
hopefully it's quote unquote done.

So how do you kind of approach those
things that might be trade offs or things

that you might, that might stick out to.

CJ: I think going into every PR was an
open mind and trying to come at it from

a, like a perspective where you're.

About what the original author
intended can be helpful.

And then also after you really
understand what they were going for

then maybe start to ask questions.

Like ask leading questions instead
of like criticizing, Right?

So kind of like, Oh, I see that
you were doing it this way.

That's really interesting.

Did you think about this approach?

Or You know was there a reason why you
know, you're taking this in, taking this

as an argument instead of instantiating
it inside of the class or whatever.

Like there's an opportunity
to talk about design patterns.

There's also opportunity to talk
about, like learning the code base

itself as a, as a result of the pr.

So, yeah, I guess maybe to answer your
question, I think coming at it from a

perspective of like, what can I learn
from this code that I'm about to.

Colin: Definitely.


The, the asking questions is interesting
to me cuz I, I do think it's better

than like, making demands or like
saying like, change this to this cuz

you don't necessarily, like you said,
you don't know where, why they had to

make some of the choices that they made.

The asking questions thing I find is
the art piece because it's sometimes

when I'm writing a question on a pr I'm
trying not to be pa like patronizing.

It's like how do we get
to the topic of this?

Like sometimes there's a more direct
way of saying things, but you do wanna

avoid like judgment or assumptions.

And when I've reviewed like a
lot of prs in a row, it starts

to feel a little bit weird.

And this might just be in my head, but
like, it's like rather than me just

like calling it out, it's like, why
don't, what do you think about this?

Or have you tried this?

And things like that.

Because I'm.

In some ways you wanna, you're not trying
to lead them to the right answer, I guess.

It's like, it's not the goal.

The goal is just like to figure out,
like, did they consider something else?

Was there an issue with like, you
know, is there a reason why this

doesn't match the, the code that's
over here that does the same thing or.

Those kinds of things.

And I would say like, if that's the
case, like always ask for clarification.

Like you could just ask a question.

You don't have to be like, I
need to get this review done.

Maybe it's like, Yeah, I'm gonna
need some more info to, to do this.

But how do you feel about that?

Like in terms of like when you've written
something, are questions helpful or do

they, do they feel like that sometimes to.

CJ: So I think they are helpful
in terms of like the ego part of

receiving a code review, right?

If someone is like, Oh, this is wrong.

You should change this, it.

Definitely chips away at like your
identity that is tied inextricably from

the code that you just published on
GitHub and asked for a kind and gentle

review and someone jumps in there
with a bunch of hyperbole and never do

this, and why didn't you just do that?

And you know, this is
overcomplicated or whatever.

Like those kinds of, those kinds of
comments can really like beat you down.

I will say that I have worked.

Several people who do their prs like
that, and they're, they're like insanely

direct, very hyperbolic and like really,
really explicit and d and I don't

know, very blunt about their feedback.

And it was extremely painful, but,
I think I, I also like got better at

like, building up a shield of like,
Okay, I'm publishing this, it's fine.

Like I've gotta get , like
torn up or whatever.

But like I know that at the end of
the day, like I, my hope is that that

criticism is coming in and that I can
receive it and become a better developer.

So like, I always had to like try to
take that perspective as the author

and because I know that was so painful.

and also it required a lot of
like building up this thick skin.

I always tried to like approach PRS that
I am reviewing with that, that own like my

own personal experience  and try to like
be really empathetic and really humble

and really like, Okay well let's be.

Let's use this as a teaching
moment instead of like a, just

make sure the code is fine.

Like you have an opportunity to make
other developers on your team know and

understand the things that you know,
and you can do that through the PR

instead of just kind of like, and you
can do it in like a tactful way instead

of just being kind of like, Yeah.


Colin: that you had to go through that
to then find the compassion, right?

Like you would've probably had that
compassion for your reviews anyway,

but like that experience of having
to build that shield, like did that

also cause you to second guess?

Like that it's ready to be puff.

Submitted or like, I imagine like you're
gonna check triple check everything when

you are like, Oh my God, I don't know
what negative feedback I'm gonna get.


to me like, that sounds
like an awful reviewer.

Even if it's coming from a good
place, like, you know, maybe they

just were rushed and they shouldn't
have reviewed it like right before

they left the office or something.

But that's, that's a rough experience,
especially for newer developers who

may not know that it's like, this
isn't about not to take it person.

But it is gonna be personal.

Like there's no way to

CJ: Yeah.


The, a couple things came out of it.

One is when I would publish a
pr, I would read all of the code

myself and review it myself.

For myself,  like, like I would say,
yeah, before you push the button that

says, you know, submit pr, whatever.

You can see the diff go
through that diff and Polish.

Take your last like chance to polish it
up and anything that I started to build

up this sense of like, okay, I think.

This is the area of code that I'm going
to receive the most criticism about.

And so then like I would go
back and maybe make a little,

like clean it up a little bit.

And when I didn't do that, I always
got comments on those parts where I was

like, Okay, like I think maybe this area
might, you know, need some improvement.

Colin: Like negative reinforcement though.

CJ: yes, , it was, it absolutely



Colin: it probably made you a much
better developer through fire.


It's not  not through yeah.

Ooh, that's rough.

CJ: yeah,

Colin: yeah, I, I come from a
background of not always having,

Developers to review my code, and so
I would have to do that anyway, right?

I'm like, I'm literally doing
PRS to myself and then going

and looking at the diff and like
reviewing it like the next day.

So like with fresh eyes.

That was like when I was the
only developer at a company.

You know, I wonder if
that's even a service.

It'd be amazing to like, have
like a contract code reviewer

CJ: Mm-hmm.

Colin: Can you just review my PRS
as an external, you know, person?

But I always had to develop that.

And because of that, I never really got a
lot of those, like those negative reviews.

But because of that too, I never
developed a really strong muscle for

like what to look for in other people's.

And I've had to develop that.

You know, at orbit we have plenty of
developers to review each other's code.

And I've learned a lot on both sides
from reviewing other people's code.

I've learned a lot of things where I'm
like, I didn't know Ruby could do that.

know that Rails could do that.

But then on the flip side, just
seeing like what comments people do.

You know, point out you know,
especially if someone knows the

code base in a different area better
and they're like, Hey, we already

have something like this over here.

you considered reusing this?

Things like that.

So and I think, you know, some of
the, the tips from thought bot when

you're reviewing code, where like
communicate things that you feel

strongly about and those that you don't.

So like maybe there's something else,
like, we really shouldn't merge.

Part as is, or like, Hey, over here
maybe we, we, we should clean this up.

But maybe that's like in a future
pr, like, let's not block this one

and ship because it's not gonna
cause any downstream problems.

But like, we probably need to create
a ticket for like coming back in

and, you know, renaming a bunch
of stuff or something like that.

CJ: Yeah.

I think in the past, what I've done
in that experience is like if I,

if I see something that I don't
think meets our quality bar for

polish , but it's almost there.

Then I will still leave comments about the
stuff that is like insanely nitpicky, but

then in like the overall comment for the
entire PR review, I'll say something like,

left a few nit comments, but it's like,
this is, you know, fine to, to move on.

So yeah, I think that's
pretty clear or, yeah.

when, I guess like in GitHub when you're
reviewing, you can also like approve or

comment and so you could say like, Oh, I
left a few comments and then just comment.

And that is kind of you implicitly
saying that you don't approve  of like

where it's at right now and that some
things need to be addressed versus

like, I left a few knit comments, but
then you click the approved button and

so like it's technically approved, but

Colin: Right.

And they can still push up some
more commits and stuff after that.


That's interesting.

Like just you pointing that out.

There is no, technically
there's no decline button.



Request changes or approve or comment.

And you know, the comment one and the
request changes are kind of the same

at the end of the day, but one's a
little bit gentler than the other one.

CJ: Mm.

Colin: And I would say, I actually found,
I'll put this in the link to, in the

show notes, we found a, like, I, I've
been having this problem of not knowing

when someone commented on a PR or even
to a review, and I finally figured out

how to configure the GitHub settings.

Shout out to Anthony at
Orbit for like sharing this.

There, I tweeted about it a few weeks ago

CJ: Mm.

Colin: I was like, I keep miss,
like, I don't get an email when

someone comments like, Why am I
not, like all my settings are set.

So now I'm getting notifications in
Slack like directly to me when it's like

someone mentions me in a PR or tags my
team in a pr, things like that, which I

found to be more useful cuz I was like
blocking people without realizing it.

Or I'd be like, Hey, why
is no one reviewed my PR?

And I go look at it and there's a
bunch of comments on it already.

CJ: Mm-hmm.

. Mm.

Colin: told me about those things.

And that's really important
when you have like the request

changes, comment, or approve.

It's just nice to know that like,
hey, it's ready to, to be merged,

or we need some changes there.

GitHub has a pretty nice thing where it's
like you can comment everything and then

you get that like final say, the like,
it's either good to go, looks good to me.

You know, we've got all this
language now around ShipIt and

L G, TM and all these things.

I think ultimately are you, are
you in an emoji and animated gif

in your code reviews person or not?

CJ: Definitely emojis.

I, not as much the animated
gifs, but yeah, I think it.

I'm trying to think back if we were
super into it at previous companies.

I think at App Academy we used
animated gifs a lot in prs,

but not at my VR or Stripe.

So yeah, like but I, I do think
they add a little bit of fun and

flavor to the experience, so yeah.

That's a good call.

Colin: Yeah,

I'll use like the eyeball reactions
on certain, like comments and stuff

to let them know that I'm looking
at it or, or reading it if it's

like not, and I don't even know if
you get notifications for those.

I will use the ship it Squirrel and the
ship in the, in the final PR comment

if I, if I think it's ready to go.

CJ: Yeah, I would say that emojis, so
emojis can also be used for a lot of

good positive reinforcement, which I
do think is another really important

part of reviewing someone's PR is like
going through and saying like, Wow,

this is super nicely organized, or, I
really like how you use this pattern.

Or like yeah, like maybe they.

Not necessarily something clever,
but something that might like, do

a performance optimization that
was kind of like something that

they went over and above to do.

Then I'll drop like sunglasses
face or like, Oh, this is cool.

Or even just like those little things
that that you're calling out that

are, that are good can help, I guess.

Yeah, they, they, they help soften the
blow for any critical feedback that

might come later, but also, You're
giving kudos where kudos are due for

someone, you know, doing great work.

So that's a, yeah, I think that's
also like an important part of review.

So at, at orbit, do you have checklists,
like, do you kind of like have a team

organized checklist that's like, okay,
make sure that you're looking for security

vulnerabilities and is it tested and is
there observability and is there logging

and is there, does it need legal review or

Colin: Yeah, we do have a checklist
in Notion we have like a PR.

Checklist especially, we have a
feature that's coming out that

like has a specific QA checklist
that is in the PR template now.

So like that's still more on the PR side.

Because the person opening the PR needs
to go through, I guess both the reviewer

and the PR before it gets merged.

All the check boxes need to be
checked just just for sanity.

Cuz some of them are more
like regression type things.

We hope to catch in tests, but we don't.

There's just some strange
things that could happen.

But we do have a notion like for
onboarding that people read through.

I wouldn't say like, we have explicit
checklists that, you know, has

to get checked off in every pr.

Especially if it's like, you know,
again, a README may not affect security.

So we're gonna skip that section.

Do you guys have something.

CJ: We, I think each team does
it a little bit differently.

Each team kind of like individually
maintains their process and

their own code ownership.

And yeah, I mean, we do use code
owners to like say which files are

owned by which teams and so people
can automatically get pulled in

if there's changes to their stuff.

. But yeah, like I, I've definitely
seen some teams where it's like,

there's a really explicit checklist
and it's, you have to go through

and make sure there's that.

You think about security and then you
think about tests and then you think

about n plus one queries and then you
think about caching and then you think

about whatever, you know, like yeah.

And like another great one is migrations.

I've been bit a million times, This
is more in like Django land, but

yeah, you're trying to roll out a,
my data migration that's gonna add.

Maybe you're gonna add a new column
that needs an index or something

and like you gotta do all the
different steps that in Rails it's

less painful than it is in Django.

But like sometimes in Django you'd
have to do like several prs where

they were coordinated, where like the
first one does something and then the

second one does something else and
you have to like deploy one and then

immediately deploy the other one.

And yeah.

So I think we kind of built a
pretty strong culture around.

Reviewing data migrations
and yeah, I don't know.

I think it's, it's, it's also
tough to like make sure that you're

hitting all of the right things
that are required for a feature.

Like you know, do we have the right
metrics in place to measure the

success of this thing as it goes out?


Colin: Yeah.

I think other than that checklist,
I'd say to kind of put a bow on this

one, like the big thing is to remember
that the, the person, the the person

on the other end of the review is
human and like they're gonna mix their

identity with the code a little bit.

. And so just keeping that in mind
and, and having compassion and pa

compassionate code reviews is important.

And with that, have you used any of the
tools on like, I think one of the things

that we've kind of talked about here is
like to, for both the PR reviewer and

the person authoring it I've been seeing
a lot more like tooling and processes

for like, Prs that make it easier.

And the one that comes
to mind is

Have you seen this before?

CJ: I have not seen graphite.

We used a tool called, I think
it was called Reviewable.


We used reviewable.

Colin: The idea behind graphite, and I
think this is similar to like fabricator

at Facebook and some of these other tools
is That like we ran into this issue when

we were building some of our integrations,
we would usually build them as one pr.

They were the most insanely
large PRS you've ever seen.

If people just wouldn't wanna review it
because they were like, I don't like,

Unless you were on the integrations
team, you didn't know how to review it.

what we've moved to right
now is just small prs.

Each PR being kind of like what you just
said, that they're like coordinated.

This is PR one.

Once that lands, we can
then merge two and three.

The problem with that is that you
end up with dependencies on branches

and prs and so graph I aims to solve
that and it essentially has these

like stacks of prs that all end up
rolling up into like one major change.

I've been playing with it.

I'm still not sure how I feel about it.

It feels like something like your
whole team kind of has to use if

you're gonna really dedicate to.

Or maybe you can use it for your
own prs, but it has a really cool

integration with GitHub, whereas
each PR gets added and merged.

Like there's a little running
list that gets added to the GitHub

PR of like, this is one of four.

This one's been merged,
this one's been merged.

And then it auto rebates
all of the upstream onto it.

And this is

CJ: Ooh.

Colin: doing all the get like get does
not translate well to audio at all.

CJ: Yeah,

Colin: when you start talking
about merges and branches.

And Rebasing, but definitely check out if you have this issue.

There are other tools that are you know,
available if you, if you search for like,

merging and, and code review strategies.

I'm still trying to find that, that
thing that's like lightweight on

the team where you actually can have
branches and prs that are dependent

on previous ones, but not block you
as a developer from keeping, you know,

development, you know, working on it.

You know, doing it where you have
to constantly rebase upstream or you

know, if the thing you need is not in
the branch that you're in right now,

then that, that becomes an issue.

And so little bit off topic for code
reviews, but Graphite's own website claims

that the biggest reason to do this is
that it makes code review even easier

because maybe the migration is in a PR.

The model and the controller are
and there on prs, and then you

have the business logic in its own.

And that way you can also start
getting things into main faster

feature flag things, right?

You're starting to develop around
feature flag development instead

of like, you know, having that big
launch day where you're afraid to

see if everything's gonna land.

CJ: Mm-hmm.

. Mm-hmm.

. Yeah, I, I'm trying to remember
the features of reviewable

that were killer features.

I think many of the ones that we
were using are now rolled into just

like the default GitHub interface.

So yeah, I'm sure there's features,
new features that we, I haven't

seen added, but yeah, tools
can definitely help your flow.

I think we also talked about having
like an automated system for.

Adding comments to the PR that like
you kind of have a bot do a first pass

of a review and make comments about
things like style or, Hey, you know,

at this company we put parentheses when
we make our method calls or whatever.

Like you can kind of apply
those automatically, but.

Colin: Let the, let the bot
do the nitpicky stuff so you

CJ: Yeah.

. Exactly.



Well let's wrap it up.

We hope you enjoyed this deep dive into
how to review PRS and doing code reviews.

Next time we're gonna start talking
about some developer content creation

and a lot of the workflows that
we use for dev content creation.

Colin: As always, you can head over to
build and to check out all the

links and resources in the show notes.

That's all for this episode.

We'll see you next time.

CJ: Bye friends.