Branch policy are always an important factor in protecting your branch and deciding the work flow. Enabling certain branch policies help you always to protect from others being contributing.
As part of quality and to protect your branches, stakeholders always recommend to align with certain git repo policies in Azure Devops. In addition to quality, it helps keep your repos from changing the code from your default branches. By default, ADO has Require a minimum number of reviewers, Check for linked work items, Check for comment resolution, Limit merge types, Build Validation, Status checks..
Why we need Custom policy?
Generally, when a PR is raised if the default polices are enabled then it will be auto applied to a PR. But the users who have permission to alter with polices can alter them and complete the PR which can have serious security and quality impacts. So there is always a question, how to make sure/monitor that all the polices are enabled.
To overcome this, we can create a custom
policy which will act as policy to monitor other policies. The advantage of custom policy is even if the custom policy is not
added to repo policy as required, it will evaluate the policies applied over a
repo and respond against PR as optional policy. This is because the service
hook gets triggered when the PR is PR created and left part all happens in Azure
and not in ADO. When the custom policy executes we can insert the repo
evaluation details to a data base which can be in turn used for reporting on repo
compliances.
What does Custom Policy do?
As mentioned, custom policy will
be utilized to evaluate whether we have all recommended policies enabled over
the repo. If all the policies are enabled, then custom policy will respond back
to PR as passed else if will be failed. Also if the custom policy is enabled as
required policy in repo settings then the user will not be able to complete the
PR unless the custom policy passes based on the evaluation – result of
evaluation whether we all policies enabled.
How it works:
Here, I am going to discuss on
creating a custom policy which will make sure that all these policies are
enabled for Pull request, unless the custom policy passes the developer will
not be able to merge the code. The custom policy will act as mother of all policies.
There are 2 parts for the custom policy to work. I would recommend Azure function and Queue Storage to implement custom policies. First part is you need service hook which triggers when a pull request is created and add the request JSON from service hook to Queue Storage using a http trigger azure function.
When the Queue triggered Azure function runs, it fetches the JSON from Queue storage which was send from service hooks. The JSON will have details like project id, repository id and PR id. Using these data we can use PR evaluation API to get the polices applied over that PR: Evaluations PR .Once the evaluation is completed, we can respond back to PR as Custom Policy : Creating Custom Policy.
Hope this idea helps in monitoring the repository policies and protect your branch!
No comments:
Post a Comment