I have several questions on Github security
(1) For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it? I noticed Write can't do it.
(2) If I had a Team that had Maintain Access to my repo, why would I need that same team in CODEOWNERS file for approval? What is the use-case for using CODEOWNERS file then?
(3) Is there any way to enforce approval from the CODEOWNERS file, and not users who have WRITE or MAINTAIN access? Seems like those two groups can approve a PR also.
Regarding the first point ("For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it?"), since Feb. 2023, you have a new option/role:
Manage branch protection rules with a new permission (Feb. 2023)
You can now create a custom role to manage branch protections without having to grant the Admin role.
Previously, to manage branch protections you had to be an Admin which provides additional permissions that may not be needed.
For tighter control of Admin permissions, you can now craft a custom role that has the Edit repository rules permission, allowing just the right amount of access.
This permission grants the ability to create, edit, and delete both branch protection rules and protected tags.
For more information, visit Managing custom repository roles for an organization in the GitHub documentation.
We appreciate feedback on this in GitHub's public feedback discussions.
Related
I would like to create a custom role in Github that inherits from the "Maintain" role and add the ability to merge pull requests without approvals. However, I do not want to give that role the permission to directly push to a branch. People with that role still have to create a pull request first.
The Github docs show the following permission, which only administrators have:
What is the name of that permission when I want to add it to a custom role? I can only find "bypass branch protections", but from my understanding that would give the role the permission to directly push to protected branches.
I want to enforce a policy at my azure repository where branch name should start only with feature/* OR hotfix/* etc. If any other name is given then it should not be possible to create that named branch.
so feature/test should be created but test should not.
Can you please help for it?
Thanks
I am afraid that there is no out-of-box method can enforce a policy at repo name.
For a workaround, you can restrict users to only create branches under feature by setting Repo permissions.
You can use tf command to achieve the goal:
1.Block the Create Branch permission at the repository root for the project's contributors.
tf git permission /deny:CreateBranch /group:[FabrikamProject]\Contributors /collection:https://dev.azure.com/fabrikam-fiber/ /teamproject:FabrikamProject /repository:FabrikamRepo
2.Allow users/groups to create branches under feature.
tf git permission /allow:CreateBranch /group:[FabrikamProject]\Contributors /collection:https://dev.azure.com/fabrikam-fiber/ /teamproject:FabrikamProject /repository:FabrikamRepo /branch:feature
If you want to limit users, you can change /group: -> /user:
For more detailed info, you can refer to this doc: Require branches to be created in folders
Set approval process to delete any project/repos of Azure DevOps(ADO).
I have multiple owners in my private Azure Devops. From the docs it appears that any individual owner/users can go rogue and delete the entire Azure project/repo from existence though i know it can be restore easily in Azure devops within 28 days, But still I'd like to prevent that from happening.
Is there any way to set up Azure Devops user/group permissions such that deleting the repo requires the approval of its owners ? Kindly suggest if I missed the Azure docs if this feature is already there ?
Making myself the sole owner is not a viable solution, as I want to prevent myself (or an unauthorised user of my account) from having this power, too. So need to implement the approval process for this.
From below SS you can see it is not expecting any approval while deleting the whole project.
I'm afraid there is no such feature to approve delete request. However, you can set the delete permission of users to deny.
Project:
If you want to delete a project, you must be a member of the Project Collection Administrators group or have the Delete team project permission set to Allow.
You can set this permission to deny if you don’t want other users to delete the project. Members in Project Administrators Group can manage permissions or groups at the project level and their delete project permission is allow by default.
Repositories:
You can set the delete repository permission of users to deny.
In addition, for most groups and almost all permissions, Deny overrides Allow. For members of the Project Collection Administrators or Team Foundation Administrators groups, Deny doesn't trump Allow.
Unfortunately, you read correctly. There isn't a way to require approval prior to repo deletion.
However, what you can do is create a group of users that you would want to be prevented from deleting repos and update the repo permissions to include an explicit deny for the "Delete Repository" permission:
In Azure DevOps, I'm trying to add a user as required reviewer on a PR, but I get this message:
The reviewer 'reviewer_name' does not have permission to view this pull request
I can see that they are a contributor, and have the same repo permissions as I do
What can I check to ensure they have the correct permissions set up?
I can see that they are a contributor, and have the same repo permissions as I do
According to your description, these users should only have stakeholder access.
Actually, to contribute a pull request you need be qualified with two things: Permission , Access Level.
User with Stakeholder access level, he will not be able to use Azure Repos for your private project.
Of cause he is also not able to view any pull request in Azure Repos.
You could check this info from Organization Setting-- Users--Access Level
For more detail concept you could refer our official link: Get started as a Stakeholder
Please change the user access level to Basic and above, then this user should be able to see and access these repos and view pull request.
Note: To change access level, you must have Project Collection Administrator or organization Owner permissions in Azure DevOps.
The Permissions required to perform Pull Request must be Contribute/Contribute to Pull requests, asfound at: Set Repository Permissions
This can be set > Project Settings > Repository > Target Group > Access Control Summary screen.
Check the permissions at the repo level, since it has to set in the Repo.
In my case it was because that particular user was set as a Stakeholder at the Organisation Level
Even though they were a project administrator, I had to upgrde their organisation permissions to Basic access
Is there a way to restrict code reviews being assigned to a "Service account" in in Azure DEVOPS?
There's no direct permission node can make you achieve the code review restrict.
But since the prerequisite for Code review is that you must have Read Repos files permissions, you can make use of one work around: restrict its Read permission of repos.
To better manage the service accounts you mentioned, you can add them into one group firstly. (Here name it Service group)
Then go Project setting -> Repositories, click on the Git repositories or one specified repos (this depend on which repos's code review you want to restrict).
Search and add the Service group, and then set its Read permission as Deny.