Azure DevOps (VSTS) security and policies (part 2)

We had set up some common branch policies in our last post. But how does that really work?

I’ve applied these changes and now will instantiate a change from a normal contributor (for this example, <me>@thinkahead.com is the admin and <me>@gmail.com is a normal user)

Clone the repository:

Clone repo
  1. Note: you can Generate Git Credentials if you want to clone with a token instead of your real password (useful in federated accounts or shared / ephemeral machines)
  2. You can also clone into VS Code directly
C:\Users\isaac\Documents\Workspaces>git clone https://ijohnson-thinkahead.visualstudio.com/idj-ta-example/_git/idj-ta-example
Cloning into 'idj-ta-example'...
remote: Azure Repos
remote: Found 79 objects to send. (69 ms)
Unpacking objects: 100% (79/79), done.

C:\Users\isaac\Documents\Workspaces>cd idj-ta-example

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git checkout
Your branch is up to date with 'origin/develop'.

Let’s create some files and attempt to push them

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git status
On branch develop
Your branch is up to date with 'origin/develop'.

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        .gitignore
        README.md

nothing added to commit but untracked files present (use "git add" to track)

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git add .gitignore

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git add README.md

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git status
On branch develop
Your branch is up to date with 'origin/develop'.

Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

        new file:   .gitignore
        new file:   README.md
        

Now let's commit and push:

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git commit -m "new files"
[develop b16610d] new files
 2 files changed, 475 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git push
Counting objects: 4, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (4/4), 3.71 KiB | 3.71 MiB/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: Analyzing objects... (4/4) (7 ms)
remote: Storing packfile... done (215 ms)
remote: Storing index... done (111 ms)
To https://ijohnson-thinkahead.visualstudio.com/idj-ta-example/_git/idj-ta-example
 ! [remote rejected] develop -> develop (TF402455: Pushes to this branch are not permitted; you must use a pull request to update this branch.)
error: failed to push some refs to 'https://ijohnson-thinkahead.visualstudio.com/idj-ta-example/_git/idj-ta-example'

So what happened? Why were we blocked?

Because we have a branch policy set, as the error states “Pushes to this branch are not permitted; you must use a pull request to update this branch”.

We are required to only commit to “develop” through the mechanism of Pull Requests.

Branches and Pull Requests:

We can create a feature branch and push our commit quite easily:

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git checkout -b feature/1234-a-quick-change
Switched to a new branch 'feature/1234-a-quick-change'

C:\Users\isaac\Documents\Workspaces\idj-ta-example>git push
fatal: The current branch feature/1234-a-quick-change has no upstream branch.
To push the current branch and set the remote as upstream, use

    git push --set-upstream origin feature/1234-a-quick-change


C:\Users\isaac\Documents\Workspaces\idj-ta-example>git push --set-upstream origin feature/1234-a-quick-change
Counting objects: 4, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (4/4), 3.71 KiB | 3.71 MiB/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: Analyzing objects... (4/4) (14 ms)
remote: Storing packfile... done (121 ms)
remote: Storing index... done (77 ms)
To https://ijohnson-thinkahead.visualstudio.com/idj-ta-example/_git/idj-ta-example
 * [new branch]      feature/1234-a-quick-change -> feature/1234-a-quick-change
Branch 'feature/1234-a-quick-change' set up to track remote branch 'feature/1234-a-quick-change' from 'origin'.

Now when we log into Azure DevOps and browse the Repo as our standard user, we see we are prompted to create a PR:

the blue text lets us create a PR from the Repos file view

Here we can give a title, description and see the files changed.  We can also add reviewers (and if there were required ones in our branch policy they would be added here as well):

PR Creation Window

Our pull request is now active and we see it listed under Repos/Pull requests.  However, we can see that we have some unmet policies:

Policies are on the upper right pane

One neat item we can do is “Auto-Complete”, which we will explore that after adding a work item.

To add a work item, we go to Boards and then to Work Items to create one - ideally i should have already had a Work Item in place before starting a change.

Creating a Work Item
An example Feature

Once saved, we can see the ID

Now back in the PR i can click “+” in the Work Items section on the right and add this WI

Click the plus sign (shown as "-" above) then type in the ID to add it.

Once added we can see how that policy is met:

Policies with some met