Governance Best Practices
A condensed summary of the 25 most important governance practices for Python organizations - drawn from every page in this section.
-
Ruff + pyright in CI: Automate style and typing on changed paths - Coding Standards & Style Guides.
-
Domain free of framework imports: Testable core in
domain/packages. -
Fleet cookiecutter template: New services start consistent.
-
Docs-as-code in
docs/: ADR, RFC, runbook, spec - Documentation Conventions. -
README minimum sections: Dev, deploy, owners, dashboards.
-
ADR supersede, never delete: Audit trail preserved.
-
Runbook URL in alert annotations: On-call finds steps at 3am.
-
PR template with rollback: Required for service changes - Contribution Guidelines.
-
CODEOWNERS on critical paths: Migrations need DBA + service owner.
-
Squash merge to main: Linear history; deploy from SHA tags.
-
uv.lock committed; frozen sync: Reproducible prod images - Dependency & Supply-Chain Governance.
-
pip-audit in CI: Critical CVE blocks merge.
-
CVE SLA published: 7d critical, 30d high.
-
SBOM per release artifact: Customer audit ready.
-
New dependency approval list: PR updates
approved-dependencies.md. -
EOL calendar published quarterly: Python, Django, public APIs - Deprecation & Upgrade Policy.
-
HTTP Sunset headers: Customer API deprecation visible.
-
Usage metrics before removal: Zero traffic 30d plus notice period.
-
Spikes time-boxed 2-3 days: Written criteria first - Spikes, PoCs & Adopting New Tools.
-
ADR after spike adopt/reject: Prevents tool relitigation.
-
PoC ≠ production: Hardening checklist before pilot.
-
Platform guild owns standards: Quarterly review of ruff config and templates.
-
Lessons-learned catalog maintained: Post-mortems feed LL IDs.
-
Career rubric published: Senior/staff/principal scope clear - Career Growth.
-
Governance serves delivery: If rule blocks without risk reduction, revise it.
FAQs
How heavy should governance be?
Enough to prevent repeat incidents; light enough that CI enforces most rules.
Startup vs enterprise?
Start with lockfile, CI, README, runbook; add SBOM and allowlist as customers require.
Who owns governance program?
Platform engineering with input from security and EM staff.
Exceptions process?
Time-bound waiver ticket with IC or architect approval; no permanent exceptions.
Open source contributions?
CLA + same lint/test standards as internal.
Governance metrics?
CFR, CVE age, ADR count, runbook coverage %, template adoption rate.
Multi-repo vs monorepo?
Same standards; central index for ADRs across repos if multi-repo.
AI-generated code?
Same review and security gates; no skip on pip-audit.
Regulated industries?
Add formal change advisory; retain SBOM and approval records 7 years.
Review governance itself?
Annual retro: which rules prevented pain vs added friction.
Related
- Coding Standards & Style Guides - code rules
- Documentation Conventions - docs rules
- Dependency & Supply-Chain Governance - supply chain
- Deprecation & Upgrade Policy - lifecycle
- Lessons-Learned Catalog - operational memory
Stack versions: This page was written for Python 3.14.0 (stable 3.14, maintenance 3.13), FastAPI 0.115+, Django 5.2, Flask 3.1, Pydantic 2, PyTorch 2.6+, pandas 2.2+, Polars 1.x, ruff 0.9+, and uv 0.6+.