BCPs for development

Must have

• sign every commit, but do not trust single commit to be safe to merge
• sign every release tag
• pin all external dependencies using hashes
• lint git tags

Should have

• require doc strings
• use only audited external dependencies
• Rust: cargo-vet
• define formatting rules to enforce consistent style
• define other requirements
• require impact assessment for commits

Nice to have

Git Commits

In commit message body

• impact: <major|minor|patch> see: https://semver.org/
• type: <feat|fix|docs|style|refactor|test|chore> see: https://www.conventionalcommits.org/en/v1.0.0/