Prevent users from editing master branch in ADF - azure-data-factory

I'm trying to prevent developers from directly editing and committing to the master branch in ADF.
There is a risk that users can accidently make changes in ADF by not creating a feature branch but instead working directly on master (I've done it myself!)
Is there a way to enforce this in ADF? I do have a branch policy on master that only allows merging via a pull request but don't think this stops developers from working directly on master:

Another way to achieve this is to require a reviewer.
Select "Branch policies":
Turn on the option "Require a minimum number of reviewers":
Set the number of reviewers to 1.
This example shows "Allow requestors to approve their own changes". This setting is optional. If you set it, the user is still prevented from committing to main/master, but can complete their own PRs.

You can deny the contribute permission for the user group in git repo. Check the following official documentation:
https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-permissions?view=azure-devops

Related

How to prevent pushing directly to Master branch in AzureDevOps

User from a group like Build Administrator can access the project from Azure Devops. I need to control the user in that group to upload the file directly to the master branch. The user can manually upload files to all branches except Master. Because my master branch is based on Pull request. How can I implement this? Does it need any permission?
There are a few critical branches in your repo that the team relies on always being in good shape, such as your master branch. Require pull requests to make any changes on these branches. Developers pushing changes directly to the protected branches will have their pushes rejected. Thus, following this doc: Improve code quality with branch policies to protect your master branch.
In addition, be reference to this doc: Allow bypassing branch policies without giving up push protection, please note that these 2 permissions(Bypass policies when completing pull requests and Bypass policies when pushing) shouldn’t be granted to your mentioned Build Administrator group for master branch. See: Set branch permissions for details.
As soon as you enable any policy on your default branch changes must be made via pull request.
From the branch policy dialogue
Branch Policies: Note: If any required policy is enabled, this branch cannot be deleted and changes must be made via pull request.
So to disable direct commits follow these steps:
Navigate to project settings (cogwheel)
Repositories > select your repo
Navigate to Policies
In the Branch Policies section select your default branch
Enable any policies that make sense to your use case. Require a minimum number of reviewers might be a good starting point.
Just to understand,
You want to allow your user to store their files on the master branch ? Which tool are they using to upload ? Visual Studio or just drag & drop ?
Anyway you can have some settings on the azure devops by going on
Azure Devops ---> Your Repository --> Branches --> Select the branch you want to modify and click on the 3 dots (...) --> Select Branch Policies

Github - lock Travis config - prevent collaborator from changing it

We're using GitHub and Travis in our organization. The branches are protected, and require Travis build to pass, then are merged automatically.
The problem is that, well, sometimes contributors decide that the best way to fix the build (testing) process is... ...to remove the tests from the .travis.yml! Yey.
Are there any mechanisms I could use to prevent one file on the branch the user have full access to from being overwritten? Or make .travis use the config from outside of the branch that is being built?
Assign a code owner to the .travis.yml file. PRs changing Travis configuration will not be mergeable without the code owner's approval
If you still want to ensure that collaborators get an approval on Travis changes and push new changes before merging, you should enable stale review dismissal

How completely protect/block branch in Azure Devops from Pull requests

I found how to block/protect branch from pushes, force pushes but how to protect branch from pull requests? When somebody creates pull requests branch merges with branch which locked (f.e. master branch) without any problems or acknowledges. How to protect branch from pull request Of course if it possible?
Branch lock (protect branch from pushes);
Branch security (deny force pushes)
I want to make impossible to complete pull request to locked branch. Of course if it possible.
I tested locking a branch, the result of the test is that it can successfully prevent other users from completing the pull request and merge to the target branch.
When I lock the master branch, and then create pr from the dev branch to the master branch, when I click complete, I will be prompted to stop me from completing the pr.
In addition, locking the branch can also prevent me from committing to the locked branch.
So I think locking branch can meet your need.For details ,please refer to this official document.
Plainly block branch from any PR isn't possible as a singular feature. But you can use branch policies to achieve something alike.
ADO docs says you can set policies:
Add specific person as required approver (it can be you)
Require minimum number of reviewers (you can add 999 person)
Check for linked work items
Require approval from external services (via API)
Plain locking branch forever and whatever happens is not the best approach (you want to have opportunity to do that sometimes). Hope that helps.
Hm strange. Because in our case lock not preventing from PR.
Probably it depends on who made PR. His privileges in Project but I'm not sure...
master branch lock
successfull PR

How can you stop a branch being deleted in a pull request?

How can you stop a branch being accidentally deleted in a pull request?
The issue is the "Complete pull request" has got the "Delete dev after merging" check box, and this seems to be checked by default, which may be because I'm the owner of the repos.
Is there someway to disable this for all users?
For now, there is no way to disable the Delete source branch after merging option.
And there is an user voice Disable Delete Branch Checkbox in PR When Branch Policy In Place which suggest similar feature, you can vote and follow up.
The workaround is set branch security for the target branch (dev branch for your situation):
In VSTS Branches Tab -> click … button for dev branch -> Branch security -> change Force push (rewrite history, delete branches and tags) as Deny for the users and groups -> Save changes.
BTW: Delete source branch after merging option in PR completing window is not checked/selected by default, but based on the last time's setting. Such as if you deselect the option now, when you open the PR completing window next time, the Delete source branch after merging option will be deselected.
See this post. You just need to add a policy to the branch, then it cannot be deleted.
I may be a bit late on this thread. I faced this problem and found solution in Azure Dev Ops. While approving you get option to deselect.

github - enable branch lock

As a GitHub administrator, I would like to lock a particular branch in GitHub for all users.
For e.g. if I do not want anyone to push to Master/Production or a Project branch, how can I do that.
Instead of using any client side hooks, is there a way to lock a branch on GitHub server directly ? Are there any third party tools/api's/scripts which can help achieve this ?
#Saurabh, I have done a similar thing according to your requirement on GitHub:
Navigate to Settings
Navigate to Branches
Tap on Add Rule near "Branch protection rules"
Tick the Require pull request reviews before merging checkbox
These steps apply a lock on, for example to master, so that no collaborators can push code to this branch. Code only be merged using pull requests.
Link to documentation
Screenshots:
Note: Protected branches are available to Pro, Team, and Enterprise users
The easiest solution is to have that branch in its own repo (for which no collaborators) are declared.
Otherwise, GitHub doesn't provide any native "branch protection" feature, as mentioned in "How to protect “master” in github?"
You could setup a webhook which on a push event can refuse the push if the branch has a given name.
An example would be terite/pull-to-master which protects master:
if (json.ref != 'refs/heads/master')
return cb([200, 'Skipping, not master']);
This is not a client-side hook, but it does require a client to listen to the JSON payload of the push event in order to react to it.
Since Oct. 2022, there is a simpler option:
New Branch Protections: Last Pusher and Locked Branch (Oct. 2022)
Push protection enabled.
This allows for branches to be locked, prohibiting changes.
You can lock a branch allowing you to have a maintenance window and prevent changes, or to protect a fork so it only receives changes from its upstream repository.
To use this feature in a branch protection rule, enable Lock branch.
For more information, read About protected branches in the GitHub documentation.
We appreciate feedback on this and other topics in GitHub's public feedback discussions.