Created Community Duty Tasks (markdown)

Community-Duty-Tasks.md

@@ -0,0 +1,84 @@
+### Tasks :chair:
+
+One day each week, each contributor should do the following:
+
+#### **Triage Issues**
+
+To triage an issue, search for the label [`status: waiting-for-triage`](https://github.com/spring-projects/spring-security/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22status%3A%20waiting-for-triage%22%20) and follow these steps.
+
+1. If it's something you feel like you cannot triage, assign it to another team member who you feel can.
+
+Otherwise, do the following:
+
+1. Assign the ticket to yourself.
+2. If the ticket appears to be accidental, incomplete, or not following our [code of conduct](https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md), close the issue with `status: invalid` (i.e. a 400 error). As needed, explain why it was marked as invalid in a comment.
+3. Label the issue with the appropriate `in: xyz` label.
+4. Correct any incorrect labels.
+5. If it's a duplicate, label it as a `status: duplicate` and close the issue with a comment linking to the issue.
+6. If it's a question, label it as `type: stackoverflow`, and close with a comment inviting them to use StackOverflow :star:
+
+:star: - If a feature is brand new, still consider answering the question. The reason for this is that the likelihood that it is a bug or a much-needed feature is higher and so it is worth it to allow those questions as an exception to the rule.*
+
+If it's a bug, also do the following:
+
+1. Consider the urgency of the issue. Does it affect many users? :arrow_up: Has it been around for a long time and we are just hearing about it now? :arrow_down: Is it part of a new feature? :arrow_up: Is there an easy workaround? :arrow_down:
+2. Reproduce it. If you don't have enough information, ask and label with `status: waiting-for-feedback`.
+3. If not a bug, label with `status: declined`.
+4. If a high-urgency bug, assign to the next patch release of the earliest supported version
+5. If a low-urgency bug, assign to the earliest supported `.x` milestone.
+6. Develop a workaround and post it as a comment.
+7. If an ideal-for-contribution bug, label it as `status: ideal-for-contribution` and invite the poster to contribute
+8. Add any additional needed explanation in a comment.
+9. If at this point the bug is addressed, close it.
+
+If it's a feature, do the following:
+
+1. Evaluate it. If you don't have enough information, ask and label with `status: waiting-for-feedback`.
+2. If you disagree, mark the ticket as `status: declined`.
+3. If you agree, assign the appropriate milestone; either "General Backlog" or the next `.x` generation where it will fit. You might remind the contributor that tickets with votes usually happen before tickets that don't.
+4. For an ideal-for-contribution feature, label it as `status: ideal-for-contribution` and invite the poster to contribute
+5. Add any additional needed explanation in a comment.
+6. If at this point the feature is addressed, close it.
+
+At this point, also remove the `status: waiting-for-triage` label.
+If there is more work to be done and you want to do it, leave it assigned to yourself; otherwise, unassign.
+
+#### **Respond to Issues**
+
+Look for unassigned `status: feedback-provided` issues and follow the same steps as **Triage Issues**.
+
+#### **Triage Dependabot PRs**
+
+For each [Dependabot PR](https://github.com/spring-projects/spring-security/issues?q=is%3Apr%20is%3Aopen%20author%3Aapp%2Fdependabot%20), investigate why it failed to merge and address the issue, ensuring that the upgrade gets performed. If upgrading is impossible, add those details to the ticket.
+
+#### **Triage Contributed PRs**
+
+For each [contributed PR](https://github.com/spring-projects/spring-security/issues?q=is%3Apr%20is%3Aopen%20-author%3Aapp%2Fdependabot%20):
+
+1. Follow the same rules as **Triage Issues**.
+2. If ready to merge, merge the PR. These are usually unassigned PRs where any requested changes have been approved and the issue has a concrete milestone and not just a `.x` milestone.
+3. If there is an issue linked to the PR, close the issue, mark it as `status: duplicate`, and include some comment like `Superceded by {the PR number}`
+4. If it is a simple PR, like a typo, an obvious fix, a formatting or naming convention improvement or the like, ready it for merging.
+
+#### **Answer Questions on StackOverflow**
+
+1. Search for questions on StackOverflow with the tags [`spring-security`](https://stackoverflow.com/questions/tagged/spring-security), [`spring-session`](https://stackoverflow.com/questions/tagged/spring-session), [`spring-security-oauth`](https://stackoverflow.com/questions/tagged/spring-security-oauth), [`spring-authorization-server`](https://stackoverflow.com/questions/tagged/spring-authorization-server), and [`spring-ldap`](https://stackoverflow.com/questions/tagged/spring-ldap). You might also search for those with [`spring-boot` that also mention security](https://stackoverflow.com/search?q=%5Bspring-boot%5D+security).
+2. As part of your answer, if there is an improvement that can be made to Spring Security that this question uncovers, [open an issue](https://github.com/spring-projects/spring-security/issues/new) or provide the improvement. An common example is the need for clearer documentation.
+
+#### **Triage Commercial Dependabot PRs**
+
+For each PR, do the same as **Triage Dependabot PRs**.
+
+#### **Check the `spring-security` Chat Channels**
+
+1. Check the internal channel and either answer questions or ping the right person
+2. Check the [gitter channel](https://gitter.im/spring-projects/spring-security) and either answer questions or ping the right person
+
+### Schedule :calendar:
+
+The current schedule is:
+
+- Monday - [@jzheaux](https://github.com/jzheaux)
+- Tuesday - [@sjohnr](https://github.com/sjohnr)
+- Thursday - [@jgrandja](https://github.com/jgrandja)
+- Friday - [@rwinch](https://github.com/rwinch)