I'd like to find out if it's possible to prevent users from checking in directly on a branch using TFS 2017, while still allowing a merge-checkin to that branch. It sounds like an oxymoron I know, how can you merge to that branch if you can't checkin?
Anyways, we have a typical dev-qa-prod merging structure. I'd like to allow users to check-in directly on the dev branch. Then on the qa and prod branches, only allow merge-checkins to occur. This is to prevent users who want to "bypass" our deployment model and check changes directly into the prod branch. (This isn't the place to discuss why they're doing that in the first place :-\ )
If something isn't clear, let me know and i'll update the question accordingly.
Thanks.
No, it's not possible.
To check in changes you need the Check in permission (set to Allow)
So you can set permissions for users/groups to prevent users from checking to a specific branch, but at same time the merger-checkin is also prevented.
However you can use the check-in policy to enforce Code Review, that can prevent directly check in on TFS branch. (Before you check in your code, you have to ask someone else from your team to review it.)
You can install the Colin's ALM Checkin Policies VS 2017 on client side. See Enable and Disable Check-In Policies for details:
To enable a check-in policy:
On the Team menu, click Project Settings, and then click Source Control.
In the Source Control Settings dialog box, click the Check-in Policy tab.
In the policy type list, select the policy type you want to enable, and click Enable.
Click OK.
Related
Something has changed on GitHub's branch protection rules page recently (?).
Require approvals is always enabled (in checked state). Is there any way to disable it? Previously, I'm pretty sure this was possible. Now it's confusing, especially since the description says "When enabled, ...", suggesting that there is a way to disable it.
At this time of writing, there seems to be no point for this checkbox to be disabled, because its state does seem to influence the repository settings. It feels like the UI changes to the Branch protection rule page are still a work in progress.
Trick using Dev Tools
You can enable it using your browsers Developer tools and removing the disabled="disabled" attribute of the <input> element, at which point you may uncheck the checkbox.
The dropdown for the required number of approval now disappears.
Once you uncheck it and subsequently save your Branch protection rule, it will reset the required amount of approvals to zero, even though the checkbox resets to its disabled state.
At this point you don't need any approvals to merge into the protected branch.
This trick allows small teams or single developers to continue using Pull Requests to organize their workflow, without enforcing PR approvals.
We have an organization on GitHub that has three contributors. However, we would like to make sure that all changes committed to the codebase in the repositories are approved by all (or a majority) of the owners.
In the past the code in a particular repository was changed before it could be reviewed by the rest of the team. Is there a way to prevent this from happening?
You can configure that in the repository's settings under the "Branches" option.
Specify whatever suits your needs under "Branch name pattern" field and enable "Require pull request reviews before merging". You can then set it up the way you want it to be with the modifier controls there are available.
Since we have many repos in our account, we use Cross-Repository policies for default branch. However, a small number of repos needs a different policy.
Specifically, we have a group that are added as automatic reviewers:
We would like to remove this group and use another group for a limited number of repos.
Is there a way to do that?
Here is the user voice for overwriting branch policies directly for certain repositories. Maybe it will be implemented in the future, but currently there are no way to do it directly.
However there is another way to do it which is also mentioned in MS documentation. You can simply allow for certain teams to bypass some policies in repo settings:
Select repository settings
Select desired repository
Select the team you want to grant this privilege
Set up to Allow three marked fields
This does not solve op question for automatic reviewers, so this can also be worked arround by going to desired repository default branch and adding a different reviewer there. In this case it will be two reviewers, but when making a PR users could simply choose which reviewer they want
How to turn off Cross-Repository policies for default branch for
certain repos
I think is is impossible. So far, there is no such option to control which repos enable the setting and which do not under the policies.
As a workaround, you have to set the policies setting for each repo.
Besides, if this does not meet your requirement, you have to suggest a feature to the Team and they will handle your suggestion carefully.
We have a gentleman who is no longer actively working on a project.
The problem is he is a required reviewer on our Pull Requests.
I have not been able to find a way to remove him, and we cannot complete our pull requests.
I have spent several hours looking at every option that I can find.
Update 10/10 -- We attempted to use the API and remove this reviewer and do another PR, but with no luck yet.
We have even tried having other reviewers approve, but without the other required one it just will not let us complete.
I would be happy to move this question as I know it is not code related, but don't know where to....this is not just a 'what tool do you think is best' question --- we are really in a bind here!
Check Automatically include code reviewers section under Branch policies:
Repos >> Branches >> ... (at your branch) >> Branch policies >> Automatically include code reviewers
If you have access to update them, just delete the unneeded reviewers. If you don't have access, take a look at Branch security, or find a person who has access.
I'm not sure if it will work for current Pull Request, maybe you will need to make it again.
remove a required reviewer from Azure Devops
You need ask someone who has the permissions to Edit policies (Project Administrators) to remove that required reviewer from the Automatically include code reviewers:
Note: You need to check the Branch policies of the branch which you want to merge, for example, you merge from Dev to master, you need check the Branch policies of the master branch.
Then, after remove that required reviewer, you could go back to your pull request and click the X button:
Now, that required reviewer is no needed.
Hope this helps.
Check the branch policy of the parent folder, I was having a similar issue but got resolve when disabling the policy for both the folders.
Is there any rule that can be configured on GitHub that restricts who can force-push? The way it looks right now is that any rule opened on any branch automatically prevents force-pushes to anyone (including administrators). I want to allow force-pushes to specific users/groups (e.g., administrators).
As noted in Tomerfi's answer, since Dec. 2021:
Specify who can force push to a repository
Instead of allowing all or no users to force push, admins can now be selective about who can force push to a repository.
The image below shows how in the past, admins could use a branch protection rule to allow force pushes for everyone or no one, including admins:
Branch protection rule to allow everyone or no one to force push:
This all-or-nothing approach didn't support limiting force pushes to select users or teams of an admin's choosing.
For example, you might have wanted to allow only a few people to force push, or you had an automated process that solely needed to force push.
Now, you can be specific about the people and teams who are allowed to force push.
As shown in the image below, select Allow force pushes and Specify who can force push. Then, search for and select the people and teams who should be allowed to force push.
Branch protection rule to allow everyone, no one, or select users or teams to force push:
For more information, visit Managing a branch protection rule.
Original answer (2019):
You can't directly setup that on GitHub.
You can setup different repositories though:
one where you can force push
one where the branch is protected to everyone.
Then you can make PR (Pull Request) from one repository to another.
This is now actually supported on GitHub:
https://github.blog/changelog/2021-12-21-specify-who-can-force-push-to-a-repository/