I want to enforce a policy at my azure repository where branch name should start only with feature/* OR hotfix/* etc. If any other name is given then it should not be possible to create that named branch.
so feature/test should be created but test should not.
Can you please help for it?
Thanks
I am afraid that there is no out-of-box method can enforce a policy at repo name.
For a workaround, you can restrict users to only create branches under feature by setting Repo permissions.
You can use tf command to achieve the goal:
1.Block the Create Branch permission at the repository root for the project's contributors.
tf git permission /deny:CreateBranch /group:[FabrikamProject]\Contributors /collection:https://dev.azure.com/fabrikam-fiber/ /teamproject:FabrikamProject /repository:FabrikamRepo
2.Allow users/groups to create branches under feature.
tf git permission /allow:CreateBranch /group:[FabrikamProject]\Contributors /collection:https://dev.azure.com/fabrikam-fiber/ /teamproject:FabrikamProject /repository:FabrikamRepo /branch:feature
If you want to limit users, you can change /group: -> /user:
For more detailed info, you can refer to this doc: Require branches to be created in folders
Related
I have several questions on Github security
(1) For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it? I noticed Write can't do it.
(2) If I had a Team that had Maintain Access to my repo, why would I need that same team in CODEOWNERS file for approval? What is the use-case for using CODEOWNERS file then?
(3) Is there any way to enforce approval from the CODEOWNERS file, and not users who have WRITE or MAINTAIN access? Seems like those two groups can approve a PR also.
Regarding the first point ("For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it?"), since Feb. 2023, you have a new option/role:
Manage branch protection rules with a new permission (Feb. 2023)
You can now create a custom role to manage branch protections without having to grant the Admin role.
Previously, to manage branch protections you had to be an Admin which provides additional permissions that may not be needed.
For tighter control of Admin permissions, you can now craft a custom role that has the Edit repository rules permission, allowing just the right amount of access.
This permission grants the ability to create, edit, and delete both branch protection rules and protected tags.
For more information, visit Managing custom repository roles for an organization in the GitHub documentation.
We appreciate feedback on this in GitHub's public feedback discussions.
I want to bypass branch policy such that when a particular allowed user creates a PR in azure devops then it bypass the branch policy and autocompletes.
I need bash task so.
Any help would be appreciated. Thanks
I want to bypass branch policy such that when a particular allowed user creates a PR in azure devops then it bypass the branch policy and autocompletes.
You could set the Bypass branch policies:
Bypass permissions let you push changes to a branch directly, or
complete pull requests that don't satisfy branch policies. You can
grant bypass permissions to a user or group. You can scope bypass
permissions to an entire project, a repo, or a single branch.
You could go to the Project settings under Repos select Repositories and then fine the Branches node under the project you want to set the policy for:
Note: It will bypass all the branch policies, not only the Bypass build validation policy on branch.
You could check the document Azure DevOps Repos: Bypass Branch Policies for some more details.
In Azure DevOps, I'm trying to add a user as required reviewer on a PR, but I get this message:
The reviewer 'reviewer_name' does not have permission to view this pull request
I can see that they are a contributor, and have the same repo permissions as I do
What can I check to ensure they have the correct permissions set up?
I can see that they are a contributor, and have the same repo permissions as I do
According to your description, these users should only have stakeholder access.
Actually, to contribute a pull request you need be qualified with two things: Permission , Access Level.
User with Stakeholder access level, he will not be able to use Azure Repos for your private project.
Of cause he is also not able to view any pull request in Azure Repos.
You could check this info from Organization Setting-- Users--Access Level
For more detail concept you could refer our official link: Get started as a Stakeholder
Please change the user access level to Basic and above, then this user should be able to see and access these repos and view pull request.
Note: To change access level, you must have Project Collection Administrator or organization Owner permissions in Azure DevOps.
The Permissions required to perform Pull Request must be Contribute/Contribute to Pull requests, asfound at: Set Repository Permissions
This can be set > Project Settings > Repository > Target Group > Access Control Summary screen.
Check the permissions at the repo level, since it has to set in the Repo.
In my case it was because that particular user was set as a Stakeholder at the Organisation Level
Even though they were a project administrator, I had to upgrde their organisation permissions to Basic access
I want to block User A read branch's User B
! How i can do that in Azure Devops ? There is no option suitable.
Yes, your are right. Consider to use forks: Forks. Then you can restrict read access to a new repo: Set Git repository permissions
I need to create the CI/CD pipelines and protect some specific branches in GITHUB for a lot of repositories. But if the remote branch doesn't exists I get an error.
It works only if I have already created the remote branch in GITHUB. But I need to do it all through Terraform or an automated way.
# Configure the GitHub Provider
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}
# Protect the CI/CD branch of the foo repository
resource "github_branch_protection" "foo" {
repository = "foo"
branch = "staging"
enforce_admins = true
required_pull_request_reviews {
required_approving_review_count = 2
}
}
Terraform result with GITHUB remote branch:
github_branch_protection.foo: Creating...
github_branch_protection.foo: Creation complete after 3s [id=foo:staging]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
(Actual error) Terraform result without GITHUB remote branch:
Error: PUT https://api.github.com/repos/jetprogramming/foo/branches/staging/protection: 404 Branch not found []
You cannot do this as branch protection is a property of a branch. If the branch does not exist you cannot enable it's branch protection property as you cannot set a property of non-existing object. This feature was introduced as in GitHub flow it is common practice to protect master branch (which is created when you create repository) so the only way to introduce changes to it is through pull request that needs to be approved first.
What you can do for now (as temporary solution) is to first create repository (with terraform) then create branches (with some script using github api) and then apply enable branch protection with terraform.
Furthermore I would also recommend you add describe your usecase in an issue on github page of terraform github provided and request feature to create branches which should solve your problem.
If it's a brand new repository being created by terraform, you can get around this by setting the
default_branch = staging
and
auto_init = true
That way the branch will exist.
It's not elegant, and I don't like it... but it does work around the issue.
If your repo already exists, do not set auto_init = true or your repo is destroyed and recreated.