Status: Stable
Every GDI repository MUST adhere to the following specification before
it can release a GA (1.0.0
) release. GDI repositories MUST submit a GitHub issue
on the GDI specification using the Repository GA approval
type. Until the
approval is granted, GDI repositories MUST NOT cut a GA release.
- MUST have a maintainers team and teams MAY be shared between repositories
- MUST have
-maintainers
suffix - MUST include at least two currently full-time Splunkers
- MUST NOT include any non-full-time Splunkers
- MUST have
- SHOULD have an approvers team and teams MAY be shared between repositories
- MUST have
-approvers
suffix
- MUST have
- MUST grant
Admin
permission level to maintainers team - MUST grant
Write
permission level to approvers team and thesignalfx/docs
,signalfx/gdi-specification-approvers
andsignalfx/gdi-specification-maintainers
teams - MUST NOT grant
Write
,Maintain
,Admin
permission level to any other user nor team - MUST NOT grant any permission (including
Read
) to any individual
- MUST have a default branch named
main
- MUST NOT allow anyone (including administrators) pushing directly to
main
- MUST require status checks to pass before merge to
main
- MUST require at least one CODEOWNER to approve a PR prior to merge
- MUST require signed commits on
main
- MUST NOT allow merge commit (squash or rebase merging only)
- MUST lock the versions of all build dependencies (e.g. libraries, binaries, scripts, docker images) or vendor them; EXCEPTION: tools that are available out-of-the-box on the CI runner
- MUST enable Dependabot alerts
- MUST grant access to alerts for the approvers and maintainers teams
- MUST enable Dependabot security updates
- MUST configure Dependabot version updates
- MUST use GitHub secrets to store sensitive data (auth tokens, passwords) and limit their usage to only required places
- MUST NOT use Personal Access Tokens
- MUST limit permissions of
GITHUB_TOKEN
when used- MUST set the repository's default permission
to just read access for the
contents
scope. - MUST only set the absolutely required
permissions
(least privilege) - MUST set
permissions
for individualjobs
- MUST set the repository's default permission
to just read access for the
- SHOULD have Codecov GitHub App configured
- SHOULD have Lychee Link Checker GitHub Action configured
- MUST have a CHANGELOG.md updated for every release
- The
CHANGELOG.md
is intended to be consumed by humans, and not machines. - The file SHOULD contain an
Unreleased
section at the top, which includes changes that have not yet been released. - The file MUST be in reverse chronological order, with the most recent
releases at the top of the file, after the
Unreleased
section. - Each release SHOULD be separated by a line separator (
---
) from the other relases. - Each release SHOULD contain separate sections for each major functionality area (if applicable).
The following sub-sections MAY be used, as appropriate or specified.
General
- General comments about the release that users should know about.Breaking Changes
- Any changes that will break backward compatibility with previous versions. MUST list all breaking changes.Bugfixes
- Details of bugs that were fixed. SHOULD list all bug fixes.Enhancements
- New features that have been added to the repository. SHOULD list all new features.
- The CHANGELOG.md SHOULD NOT list every PR, but only changes significant from an end-user point of view. Anyone who is interested in all the details of every change in the repository can use the git log for that.
- The
- MUST add CODE_OF_CONDUCT.md
- MUST add CONTRIBUTING.md
- MUST have a .github/CODEOWNERS file with a maintainers team
- SHOULD have an approvers team in CODEOWNERS
- MUST add
LICENSE
- SHOULD have a
MIGRATING.md
if applicable - MUST have a
README.md
- MUST have a badge on the
README.md
with build status- CI and PR builds and all tests/checks that are executed in them MUST be publicly accessible by anyone.
- MUST have a badge on the
README.md
with GDI specification version supported - SHOULD have a badge on the
README.md
with code coverage, if appropriate. - SHOULD have badges on the
README.md
for other relevant things including artifacts - MUST have getting started information in
README.md
- MUST have troubleshooting information in
README.md
- MUST link to official Splunk docs in
README.md
- MUST have license information in
README.md
- MUST have a badge on the
- MAY have a
RELEASING.md
file that documents the release process, but this file MUST NOT document private processes. For repositories that use private release jobs, theRELEASING.md
file SHOULD be absent or, if included, just contain the following note:The release process involves signing built packages and binaries and thus must be kept private and not exposed publicly.
- MUST add the SECURITY.md
- SHOULD add dependabot information to
SECURITY.md
if applicable
- SHOULD add dependabot information to
- SHOULD NOT contain comprehensive application examples. Application examples showing multi-system interactions or even cross-language use cases SHOULD be put in the Splunk OpenTelemetry example repository. Smaller, developer focused, examples MAY be included in the repository if it is customary to do so for the coding language used.
- MUST have a signature or a checksum with signature for all release artifacts
- SHOULD use Splunk signing key
- MUST use signed tags
- MUST have a tag protection rule
for the release tags (e.g.
v*
) - MUST state version of OpenTelemetry repository built against if applicable
- MUST update all examples in the Splunk OpenTelemetry example repository that depends on the repository to use the latest release.
- MUST document all configuration parameters that are relevant to Splunk Observability Cloud
- MUST document all configuration parameters whose default or accepted values deviate from upstream
- MUST document sizing guidelines for all signals
- MAY host the documentation in the Observability Cloud documentation repository
- MUST document all configuration parameters that are relevant to Splunk Observability Cloud
- MUST document all configuration parameters whose default or accepted values deviate from upstream
- MUST document how to configure manual instrumentation
- MUST document how to configure log correlation
- MUST define minimum supported version of each auto-instrumentation framework
- SHOULD define maximum supported version of each auto-instrumentation framework
- MAY host the documentation in the Observability Cloud documentation repository
- MUST document all configuration parameters that are relevant to Splunk Observability Cloud
- MUST document all configuration parameters whose default or accepted values deviate from upstream
- MUST document how to configure manual instrumentation
- MUST document supported instrumentations
- MUST document supported platforms: browsers, OS versions, API requirements
- MAY host the documentation in the Observability Cloud documentation repository