保护Azure Pipeline Yaml文件不被编辑 [英] Protect Azure Pipeline Yaml File from Being Edited

问题描述

当前将我们的管道YAML文件存储在Azure Devops的git仓库中-试图找到一种方法来限制某些用户编辑/访问YAML文件，甚至可能包含YAML文件的文件夹.

我们希望实现额外的安全性，以防止开发人员修改YAML文件以潜在地利用敏感信息或进行我们不批准的更改(我们已制定了PR策略，但希望采取其他安全措施).

理想情况下-我们可以在Azure中设置一个组-添加成员，只有那些成员才能修改包含我们的YAML文件的特定回购文件夹中的文件-不确定是否可行.

解决方案

据我所知，没有这样的现有安全设置可以阻止特定成员修改特定文件或文件夹.

但是，您可以锁定 master 分支，然后为yml文件或特定文件夹之类的特定文件设置分支策略.

请检查该线程

在这种情况下，对master分支的所有更改都将需要请求请求，而对yml文件的更改将需要审阅者进行证明.

Currently storing our pipeline YAML files in our git repo in Azure Devops - trying to find a way to restrict certain users from editting/accessing the YAML file or even possibly a folder that contains the YAML file.

We want to implement additional security to prevent our developers from modifying our YAML files to potential exploit sensitive information or make changes that we don't approve (We have a PR policy in place, but would like additional security measures).

Ideally - we could setup a group in azure - add members, and only those members would be able to modify files inside a specific repo folder that contains our YAML file - not sure if this is possible.

解决方案

As far as i know, there's no such existing security setting that prevent specific members from modifying specific files or folders.

However, you can lock the master branch and then set branch policies for specific files like yml files or specific folders.

Please check this thread Can we lock a file in Azure DevOps? and follow the steps.

The main point is to set "For pull requests affecting these folders" value in "Automatically include reviewers" in "Branch policies".

In this case, all changes to the master branch will need pull request and the change to the yml files will need reviewers to prove it.

这篇关于保护Azure Pipeline Yaml文件不被编辑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！