Azure DevOps Branch Policies and Settings Guide

Azure DevOps Branch Policies provide a way to enforce consistent development practices across your team. This includes policies for branch names, permissions, and validation.

To create a branch policy, you must be a member of the Project Collection Administrators group or have the Manage Project Collection permission. This ensures only authorized users can enforce branch policies.

Branch policies can be applied to individual repositories or entire project collections. This allows you to tailor policies to specific projects or implement organization-wide standards.

Azure DevOps allows you to create up to 10 branch policies for a repository. This flexibility enables you to enforce a range of development practices, from simple naming conventions to complex validation rules.

Branch Policy Configuration is a powerful feature in Azure DevOps that allows you to define rules on your branch. These rules can be that commits can be only added through pull requests.

You can also set up a successful build validation or require the approval of a reviewer. This ensures that changes to your code are thoroughly reviewed and validated before they're merged into the branch.

Branches with policies are protected and can't be deleted, except if you have special rights for that. This prevents accidental deletion of important branches and ensures that your code is safe.

To set branch policies, you must be a member of the Project Administrators security group or have repository-level Edit policies permissions. For more information, see Set Git repository permissions.

You'll also need to be familiar with Azure DevOps CLI commands, specifically the az repos policy commands, to manage branch policies. This requires following the steps in Get started with Azure DevOps CLI.

Azure DevOps CLI commands aren't supported for Azure DevOps Server, so keep that in mind when planning your branch policy configuration.

The good news is that you can use a default configuration to simplify the process. This involves setting up your organization and project using the az devops configure command, like so: az devops configure --defaults organization=https://dev.azure.com/fabrikamprime project="Fabrikam Fiber".

To set branch policies, you must be a member of the Project Administrators security group or have repository-level Edit policies permissions. For more information, see Set Git repository permissions.

You can manage branch policies using Azure DevOps CLI az repos policy commands, but only if you follow the steps in Get started with Azure DevOps CLI.

Branch policies let you define rules on your branch, such as requiring commits to be added through pull requests or successful build validation.

To use Azure DevOps CLI commands, you need to configure your defaults with the organization and project information, like this: az devops configure --defaults organization=https://dev.azure.com/fabrikamprime project="Fabrikam Fiber".

Azure DevOps CLI commands aren't supported for Azure DevOps Server, so you can't use them for on-premises installations.

Branches with policies can't be deleted, except if you have special rights to do so.

Policy settings play a crucial role in maintaining the integrity of your codebase. To ensure that teams review and approve pull requests (PRs), you can require a minimum number of reviewers to approve the code. This simple act helps protect the production branch in two key ways: it gives reviewers the chance to find mistakes in code and spot potentially suspicious anomalies.

You can set the policy by going to Branch Policies and setting Require a minimum number of reviewers to On. You can then enter the required number of reviewers and select options such as Prohibit the most recent pusher from approving their own changes to enforce segregation of duties.

Here are the options you can select when setting the policy:

These options help you manage pull request required approver counts with az repos policy approver-count.

To list all policies in a project, you can use the command `az repos policy list`. This command returns all the branch policies in effect in a specified branch of a repository, such as the main branch of the Fabrikam repository.

You can get the repository ID by running `az repos list`. This will give you the ID needed to specify the repository in the `az repos policy list` command.

Here are the types of policies you can set to lock and standardize your Pull Requests:

Each of these policies can be set up by creating a new file called `repos_policies.tf` and adding the depends_on property for each policy declared.

Wildcard characters for required code reviewers are a powerful tool in Azure Repos. They allow you to match files and folders based on patterns, making it easy to apply policies to specific parts of your repository.

A single asterisk * matches any number of characters, including both forward-slashes / and back-slashes \. This means you can use * to match entire folders or file extensions.

For example, *.sql matches all files with the .sql extension, while /ConsoleApplication/* matches all files under the folder named ConsoleApplication.

You can also use question marks ? to match any single character. This can be useful for matching files with specific names or extensions.

Here are some examples of wildcard patterns you can use:

These wildcard patterns can be used in the path-filter field when creating or updating a required reviewer policy. By using these patterns, you can ensure that the right people review the right code, and keep your repository organized and secure.

Branch policies in code review aren't case-sensitive, so you don't have to worry about typos or mismatched capitalization.

Configured policies are always evaluated for pull request changes, and for users with bypass policy permissions, the reported policy status is advisory only.

If a user with bypass permissions approves, the failure status doesn't block pull request completion.

The Require a minimum number of reviewers policy and the Automatically included reviewers policy have options to Allow requestors to approve their own changes, but these settings apply only to their respective policies.

Here's a quick rundown of the implications:

In some cases, other policies might prevent you from approving your own changes, even if Allow requestors to approve their own changes is set.

Path filters are a powerful tool in policy settings, allowing you to specify which files or directories a policy applies to. You can enter absolute paths that start with a forward slash, and even use wildcards to match multiple files or directories.

For example, if you enter `/WebApp/Models/Data.cs`, the policy will only apply to that specific file. If you enter `/WebApp/*`, the policy will apply to all files and directories within the `/WebApp` directory.

You can also use wildcards to match files with specific extensions. For instance, `*.cs` will match any file with a `.cs` extension, regardless of its location in the directory structure.

Multiple paths can be specified by separating them with a semicolon. For example, `/WebApp/Models/Data.cs;/ClientApp/Models/Data.cs` will apply the policy to two specific files.

If a path starts with an exclamation mark, it's excluded from the policy. For example, `!/WebApp/Tests/*` will exclude all files and directories within the `/WebApp/Tests` directory.

The order of filters is significant, so make sure to apply them in the correct order. If you specify `/WebApp/*;!/WebApp/Tests/*`, the policy will apply to all files in `/WebApp` except those in `/WebApp/Tests`.

Here's a summary of the syntax:

Remember, the order of filters matters, so apply them from left to right to get the desired results.