I want to protect my execution server from actions workflows changes. Therefore i created the actions in dedicated repo and granted readonly permission for the collaborators.
The problem is that they now can not execute the workflow manually...
How can i solve that problem? I want that only DevOps will be able to change and create workflows but every developer will be allowed to run it.
Related
Is it possible for a specific user to bypass the review policies of a pull request?
For my specific scenario I am running NuKeeper on a pipeline and my Build Service user is successfully creating a pull request, but I'd like any PRs raised by this user to automatically bypass the required reviewers (but still go through the checks e.g. my build and test stage) - Is this possible?
The only other workaround I could think of would be to have a scheduled "master" pipeline which iterates over my repos and just merges all open pull requests from that particular user.
Is it possible for a specific user to bypass the review policies of a pull request?
You could add a account with higher permission, set Bypass policies when completing pull requests as Allow:
When we use this account to create a PR, this account can complete the PR directly without the approval of the reviewer.
Besides, there are a couple of ways to set up bypassing depending on how broadly you want to give someone rights to bypass. We are going to start with the narrower option which is allowing bypass for an individual branch or we could set it at the repo level.
You could check the document Azure DevOps Repos: Bypass Branch Policies for some more details.
Set approval process to delete any project/repos of Azure DevOps(ADO).
I have multiple owners in my private Azure Devops. From the docs it appears that any individual owner/users can go rogue and delete the entire Azure project/repo from existence though i know it can be restore easily in Azure devops within 28 days, But still I'd like to prevent that from happening.
Is there any way to set up Azure Devops user/group permissions such that deleting the repo requires the approval of its owners ? Kindly suggest if I missed the Azure docs if this feature is already there ?
Making myself the sole owner is not a viable solution, as I want to prevent myself (or an unauthorised user of my account) from having this power, too. So need to implement the approval process for this.
From below SS you can see it is not expecting any approval while deleting the whole project.
I'm afraid there is no such feature to approve delete request. However, you can set the delete permission of users to deny.
Project:
If you want to delete a project, you must be a member of the Project Collection Administrators group or have the Delete team project permission set to Allow.
You can set this permission to deny if you don’t want other users to delete the project. Members in Project Administrators Group can manage permissions or groups at the project level and their delete project permission is allow by default.
Repositories:
You can set the delete repository permission of users to deny.
In addition, for most groups and almost all permissions, Deny overrides Allow. For members of the Project Collection Administrators or Team Foundation Administrators groups, Deny doesn't trump Allow.
Unfortunately, you read correctly. There isn't a way to require approval prior to repo deletion.
However, what you can do is create a group of users that you would want to be prevented from deleting repos and update the repo permissions to include an explicit deny for the "Delete Repository" permission:
For a public repository, in github actions, assume my action runs on a compute in azure. I am confused on how i can protect the azure auth details if the CI pipeline has to run in azure.
Lets say to use this action, i have to use a secret and i set an environment variable's value to be the secret - have I not lost the point of having a secret? A malicious user can send a PR that prints the value of the environment variable :
user_password: {{secret.USER_PASSWORD}}
User code:
print(os.environment['user_password'])
The malicious user does not have to guess since the workflow is public and he knows which env var has the secret.
Where am i wrong?
GitHub, like other CI providers, redacts most secrets from the logs. It considers a variety of formats and tries to scrub them. However, in general, you should be careful to avoid printing them to the logs because no system is foolproof and not every possible encoding can be considered.
If you're worried about forked repositories trying to access your secrets, they can't; that's specifically not allowed for the reason you describe. So if someone opens a PR against your repository, they won't be able to access the secrets unless the branch is in your repository (in which case, don't grant that person write access to your repo). It's presumed that you'll perform basic code review to catch any malicious code before merging, so a bad actor won't be able to run any code with the secrets for your repository.
In general, though, using environment variables as a way to pass secrets to programs is a best practice, assuming the running system and programs are trusted. Other users on the system cannot see the environment, and in a CI system the system and programs are assumed to be trusted.
I have set up a GitHub workflow to send a POST request every 3 hours. What happens when somebody forks my repository on GitHub? Now there would be two repositories with the same workflow. Is GitHub going to send 2 requests every 3 hours? How can I prevent this?
To my knowledge, this should not disturb your scheduled build.
Even though they have your workflow file, they will not have access key to send the request if you have maintained the key outside the workflow file.
Some references:
https://github.community/t5/GitHub-Actions/Stop-github-actions-running-on-a-fork/td-p/51499
https://github.community/t5/GitHub-Actions/Protecting-github-workflows/td-p/30290
https://help.github.com/en/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository
https://help.github.com/en/github/getting-started-with-github/fork-a-repo
Is there a way to restrict code reviews being assigned to a "Service account" in in Azure DEVOPS?
There's no direct permission node can make you achieve the code review restrict.
But since the prerequisite for Code review is that you must have Read Repos files permissions, you can make use of one work around: restrict its Read permission of repos.
To better manage the service accounts you mentioned, you can add them into one group firstly. (Here name it Service group)
Then go Project setting -> Repositories, click on the Git repositories or one specified repos (this depend on which repos's code review you want to restrict).
Search and add the Service group, and then set its Read permission as Deny.