20 questions for a valuable code review

Photo by Lorenzo Herrera

I recently had an interesting discussion around the value of doing code reviews and the value of mandatory code reviews.

I think code reviews are extremely valuable and should be done by most organisations and teams.

A valuable code review will

  • pass institutional knowledge around the org
  • help all engineers grow their skills
  • maintain quality in the face of all the other time pressures your team faces

But how do you keep a code review valuable?

  1. Automate instead of PR checklists
  2. Focus on code readability and functional correctness

Automate instead of PR checklists

Anything that can be automated must be automated. Engineers are expensive! Don’t waste your time on code formatting or spell checking if at all possible.

It's OK to have some checklists in a PR template but you should always be actively working to remove checklist items through automation or engineering culture.

20 code readability and functional correctness code review questions

  1. Is the intent clear?
  2. Is there needless duplication?
  3. Could existing code have solved this?
  4. Is this an atomic commit?
  5. Could this be simpler?
  6. Are there obvious logic issues?
  7. Does it need tests?
  8. Are the tests comprehensive and clear?
  9. Are there any security issues or considerations?
  10. Are there any accessibility considerations?
  11. Are there any PII considerations?
  12. Is it instrumented? Are there relevant analytics? Are there relevant production logs?
  13. Are there revert scripts for database changes?
  14. Is the database work ACID? Is it transactioned sensibly?
  15. Does this feature need to be turned off in the future?
  16. Is it easy to turn it off?
  17. How easy is it to delete the feature code as a whole entity?
  18. Does the code respect Command-Query separation?
  19. If DDD - Are there well defined aggregate roots, value objects, enumerations?
  20. Will there be any issues recovering from a transient failure? Is the solution distributed in an unexpected way?

A note on “nits”

In general I do not look for coding style, syntax I don't like, styling or spelling errors in a code review.

If these things are important to your team then just use your CI system to detect and fix issues automatically.

In typescript/javascript we have ESlint, Prettier and Vale to detect and fix issues automatically. There will be similar tooling for your language and framework of choice.

Consistency IS important. If an entire code base is using some syntax but you prefer a different syntax that is functionally the same, you should use the existing syntax unless the entire team agrees with you and there is a plan to change the code everywhere.

A note on mandatory code reviews

The PR system developed by GitHub was for Open Source contributions by distributed teams. Mandatory PRs might not be relevant for a team with consistent levels of engineering capability and knowledge of the system.

I do feel that if code reviews are mandatory it means they won’t be bypassed when the pressure is on.

When the team under pressure is when you really need code reviews the most. If some software is forcing one positive code review then a single developer can’t be pressured into putting dodgy code out to customers.

Summary

Code reviews that focus on finding nits, syntax you don't like, spelling errors and things like that are not a valuable use of your time. Automate these with tooling instead.

Code reviews that focus on code readability and functional correctness are extremely valuable to the entire organisation, long after you have moved on to another project.

If you don't enjoy code reviews, try changing their purpose and start evangelising what a good code review looks like.