[Meta] GitLab Acceleration Initiative

Problem/Motivation

Contributing to Drupal as a first timer can be difficult. There are several points of friction in account creation, and several 'Drupalisms' in the order of operations we require to start an issue and then begin your code contribution - even after the migration to GitLab for code hosting and the hybrid d.o issue/GitLab Merge Request model.

Project Goals

Significantly increase the amount of contribution to Drupal, particularly by opening up contribution opportunities to new audiences who may have found Drupal contribution intimidating or overwhelming in the past.

For a more detailed overview - review the video from DrupalCon: https://drive.google.com/file/d/1dqpx9CTYla9e3M1NpRIubbAs1ScbvnTg/view?u...

Strategy / Proposed Resolution

Reduce the friction of contribution to Drupal, particularly for brand-new contributors and so-called 'drive-by' contributors.

Increase our ability to capture those contributors and make it easier for them to continue investing in the Drupal project.

Proposed resolution: Targets

There are five key areas of friction in Drupal contribution today that we want to address with this initiative:

Risks

Disrupting the core release cycle

If we do not carefully map out all of the user stories of the core release cycle, and have each element accounted for when we transition portions of the tooling to GitLab we risk disrupting the release cycle, and potentially even missing one of Drupal's 6-month release windows.

Mitigations

• Involve release managers heavily in defining the user stories and validating that the new GitLab based workflows accomplish their needs
• Choosing a deploy time shortly after a particular 6-month release, to give as much of the following 6 months as possible to troubleshoot and file off rough edges.

Disrupting the security release cycle

The Drupal Security team has a fairly bespoke process for taking in reported security issues, adding maintainers of the relevant projects to those issues, and working in an appropriately confidential way. Those tools are all Drupalisms based on existing Drupal.org tooling - and the ability to manage security reports and make security releases could be disrupted - potentially making a highly critical security release difficult to execute.

Mitigations

• Involve the security team heavily in defining the user stories and validating new workflows for the team
• As best as possible, try to choose a time to deploy changes with a *minor* security issue as the next release on the docket - so any issues can be ironed out not with a critical or greater vulnerability on the line.

Loss of Contribution Credit for issues

One of the most innovative and powerful tools the Drupal Association has built to foster contribution in the community is the Contribution Recognition system in the issue queues.

This attribution data is used not only to measure how much of Drupal development is volunteer vs. sponsored but also to determine which organizations contribute the most to the Drupal project.

This is key data in managing additional Drupal Association programs, such as the marketplace ranking system and the Drupal Certified Partner program. Without it, we lose our ability to reward 'makers' over 'takers' and thus reward good corporate citizenship in the Drupal.

Mitigations

In every case the canonical home of the contribution record will remain Drupal.org. We will parse the attribution data - import into Drupal.org user profiles, organizational profiles, and marketplace. This gives us the control we need over the weighting and measurement of that data, and allows project leadership to create the appropriate incentives for organizational contribution.

What will differ is whether that attribution data itself is stored directly in GitLab (if they add the feature described in Option 1 below) or if we have to create a separate integration to gather attribution data (see Option 2 below).

1. Option 1 - we have pushed for GitLab itself to adopt a similar attribution system in their toolset. If this feature is added, we can continue to gather this attribution data and use it the way we do today - but furthermore, we can also begin to compare against other GitLab-hosted open source projects.
   • Note: It might be possible for us to attempt to contribute such a feature upstream, but as of yet, we are still trying to get buy-in from the GitLab project managers - although we have managed to gather support from other projects and initiatives (LinuxFoudnation CHAOSS, CivCRM, and several GitLab enterprise customers).
     
     However - we do not have Ruby development talent on staff - so directly contributing upstream would be a challenge (and would counteract any argument that we have 'saved' engineering time by moving to a 'vanilla' GitLab solution).
2. Option 2 - As a backup - if GitLab cannot deliver the attribution system in a timely fashion - we could develop a 'contribution log' content type on Drupal.org, automatically create one for every GitLab issue/Merge Request - and use a bot to post a link to the credit node on each closed issue.

Loss of *desirable* drupalisms: easy cross-collaboration

In attempting to standardize as much as possible on 'vanilla' GitLab workflows, we are eliminating Drupalisms from our workflows, and some of those Drupalisms are actually superior in terms of the ability of a large community to collaborate on single issues, than what is offered by these alternate tools.

For example - right now:

• Anyone can open an issue on any project
• Anyone can comment on an issue for any project
• Anyone can create a patch or merge request on an issue for any project
• Anyone can 'review' that work, and update the issue status to RTBC

These are not a given in other toolsets. In both GitHub and GitLab - maintainers have to *grant* access to issues on their projects in order for these contributions to be made - and control is given to the original *reporter* of the merge request, rather than to the maintainers of the project.

Constraints on Scope

The accelerated move to additional GitLab features does *not* mean that we want to move absolutely everything to GitLab. We should understand the constraint on the scope.

Issues => GitLab

Per above, tactics 3-5 require that issues move from Drupal.org to GitLab issues, which will also bring with it new capabilities such as GitLabCI integration, Kanban boards, Scoped Labels, Bot integration, etc.

Project Pages: Discoverability => Drupal.org

The homepage for a given project should remain on Drupal.org, and indeed, everything related to the discoverability of projects really remains a core Drupal.org feature. Drupal.org home pages provide us additional metadata and descriptive information from maintainers that simply aren't available on GitLab project pages, and are required to support other initiatives, such as the Project Browser in Core initiative.

User Documentation (Drupal.org) vs Developer Documentation (GitLab)

Drupal.org has a robust documentation system that interlinks between projects and documentation sections that don't have to be tied to a particular project making it an ideal place for everything to do with end-user(or end-user/developer) documentation. That is, everything about how to install and use a particular project with Drupal should remain on Drupal.org.

At the same time, GitLab's documentation features - particularly the readme.md, wikis, and GitLab Pages, are ideally suited for developer documentation.

Release management => Drupal.org

This may need further exploration, but at least initially it seems prudent that packaging and release management continue to take place on Drupal.org.

At the very least, this will be required to support the Drupal.org Composer Façade as it currently exists, as well as to support the package signing mechanism being developed for the Automatic Updates initiative.

As a follow-up phase, we could revisit release management using GitLab.

It should be noted that there are a few areas where GitLab *should* begin taking over some elements of release management, such as for JavaScript libraries in the general project type, where the Decoupled Menus Initiative is already using GitLab pipelines to publish to NPM.

Remaining tasks

• Drupal Association completing contract for Authentication/SSO from third parties
• Auditing contribution workflow user stories from contrib, core, and security perspectives
• what else?

User interface changes

API changes

Data model changes