We store our git in TFS - Azure Devops.
We want to protect the main branch from push and deletion. push must be done with PR.
So we added a branch policy "Require a minimum number of reviewers".
The problem: users can still push to the branch.
So we updated the policy for "Bypass policies when pushing" and "Force push (rewrite history, delete branches and tags)" to "Deny".
But now the users cannot delete other branches..
Any idea how can we protect only the Main branch from deletion and push ?
Based on your description, it seemed that you had denied Force push (rewrite history, delete branches and tags) security settings on the repository level, so that all other branches were unable to be deleted as well.
Please check the security permission Force push (rewrite history, delete branches and tags) in All repositories and one affected repository for the users/groups. You may try and set the permission of Force push (rewrite history, delete branches and tags) in your repository Security tab back to Allow/Not Set for the users/groups and only adopt branch security restriction on the branch level.
Kindly refer to the security settings on the main branch like below. Thus, other branches will not be affected by the settings of the main branch and they could be still deleted or pushed.
You don't need the force push policy. Setting the require minimum number of reviewers in conjunction with denying the Bypass policies when pushing should give you what you want.
As long as you have these in place, your users cannot bypass the PR rule and if they try to do it with a force push will still receive an error
Related
We are using git repositories with our azure dev-ops setup.
I have a couple of branches that I've worked on a lot, but we are having to put a pause on the work for now as other items have become more important. I want to make sure these branches are not deleted accidentally. My permission setup is a little higher than some of the other developers. Is there a way to put a lock from deleting the branch from the Collection -> Repos -> Branches?
Right now I go to More Options -> Delete Branch and it will ask before it is deleted. I want to put a lock where if you say Delete to Branch feature/testbranchdelete will be permanently deleted. Are you sure you want to proceed? that it will stop it from being deleted.
Thanks.
I have tested according to your narrative and found that the locked branch could still be deleted. And after I changed the Branch Security Permission, the test branch was unable to be deleted.
Please use a new branch in your Repos for the test of this operation following the marks in the picture below. Define Individual and Group Users as Force push (rewrite history, delete branches and tags) -> Deny.
User from a group like Build Administrator can access the project from Azure Devops. I need to control the user in that group to upload the file directly to the master branch. The user can manually upload files to all branches except Master. Because my master branch is based on Pull request. How can I implement this? Does it need any permission?
There are a few critical branches in your repo that the team relies on always being in good shape, such as your master branch. Require pull requests to make any changes on these branches. Developers pushing changes directly to the protected branches will have their pushes rejected. Thus, following this doc: Improve code quality with branch policies to protect your master branch.
In addition, be reference to this doc: Allow bypassing branch policies without giving up push protection, please note that these 2 permissions(Bypass policies when completing pull requests and Bypass policies when pushing) shouldn’t be granted to your mentioned Build Administrator group for master branch. See: Set branch permissions for details.
As soon as you enable any policy on your default branch changes must be made via pull request.
From the branch policy dialogue
Branch Policies: Note: If any required policy is enabled, this branch cannot be deleted and changes must be made via pull request.
So to disable direct commits follow these steps:
Navigate to project settings (cogwheel)
Repositories > select your repo
Navigate to Policies
In the Branch Policies section select your default branch
Enable any policies that make sense to your use case. Require a minimum number of reviewers might be a good starting point.
Just to understand,
You want to allow your user to store their files on the master branch ? Which tool are they using to upload ? Visual Studio or just drag & drop ?
Anyway you can have some settings on the azure devops by going on
Azure Devops ---> Your Repository --> Branches --> Select the branch you want to modify and click on the 3 dots (...) --> Select Branch Policies
My commit button is not getting enabled after editing Readme file in github.
The reason why the commit button is not enabled is because you are trying to commit to the master branch of the repo, which is protected from making direct commits/push. Only those who have access to make direct commits to master can do that, and you might not have that access. Hence you need to select the second option there to create a new branch to make the commit and create a pull request to the master branch, or get access to directly contribute to that branch.
The branch protection is to ensure that collaborators don't directly push or make commits to the particular branch or delete it, and also allows enabling status checks or required reviews. You can read more about GitHub's branch protection here.
After approving a PR, can a reviewer be allowed to delete the source feature branch (during merging)? feature branch is created off develop branch. We want reviewer to be able to delete feature branch. However, reviewer should not be able to delete develop branch while merging that to master branch.
Is that possible with Azure DevOps? How can we set the branch policy/security to achieve the above?
Addition: feature branch can indeed be deleted provided branch owner is the one completing the PR (there is a checkbox to do that). We want to shift that responsibility to reviewer who does not really own the feature branch. (The checkbox is disabled for reviewer with insufficient permissions message.)
To enable the reviewer the permission to delete the branch, you need to enable the delete branch permission in the Repositories' setting. Please check below steps:
Go to Project settings -> Repos -> Repositories -> Select your repository.
On the Security page of your repository, Search the user you want to grant the delete branch permission in the search box.
On the Security page of the selected user, Set the Force push permission to Allow. Then the delete checkbox for the reviewer will be enabled.
Update:
If you want to enable multiple reviewers the delete permission. You can go to Organization settings, click Permissions under Security, Click New group to create a new Group(eg.Reviewers) and add the reviewers to this group.
Then follow above steps enable the branch deletion permission for this Group. The reveiwers in this Group will automatically inherit this deletion permission.
Having any branch policy on develop would mean that it can't be deleted when completing a PR to master. Branches with policies set are inelgible for deletion as part of PR completion.
If I fork a repository I have permission to that is owned by a company into my personal github, make some changes, make a PR, sometimes my collaborators (the ones in charge of the PR) will click "merge and delete local branch". This deletes the branch out of my private github account. Is there a way to disable this?
If there is no way to disable it, a workaround would be to create a branch referencing the same HEAD as the feature branch used for the PR (and which gets deleted when merged in the original repo).
That would allow you to keep track of that feature branch, even after the PR has been completed.