Branch Policy Sweeper

Document describes the agreed upon rules that needs to be enforced to ensure branch security within all the project repositories in an Azure DevOps organization.

Branch security Overview

Setting up permissions on the repository branches is required to restrict the users from naming branches outside of the policy pattern. Azure Repos can enforce the correct use of branch folders.

The following branch patterns and security rules must be in place

Contributors by default cannot create any branch
Contributors can only create branch develop and under project/, feature/ and hotfix/
Project administrators can only create branch develop and under project/, feature/ and hotfix/
Project administrators can create branches under release/
Project administrators can create the main branch

The following general rules apply while creating the branches

Contributors and Project administrators should not create branches just with names 'project', 'feature', 'release' or 'hotfix'
This will restrict creation of branches under project/, feature/, release/ and hotfix/, even though such branches are deleted
In-case such branches are created by mistake, please delete those branches and raise a support ticket with the Energizers Team to refresh the branch policies
Users can go-ahead with branch creations under project/, feature/, release/ and hotfix/ after the policies are refreshed
'project', 'feature', 'release' and 'hotfix' should be considered as folder names, not branch names

How to apply branch security

A pipeline has been setup to sweep across all the repository branches in an Azure DevOps organization.
This pipeline internally runs a PS-Script that applies the policies.
Pipeline can be setup to run against an Azure DevOps organization configured as a pipeline variable.
Pipeline can be accessed here

How to create a team

A Medtronic user and a member of MDTProductDevelopment organization in Azure DevOps can access the organization via - https://dev.azure.com/MDTProductDevelopment
Choose the project -> Navigate to the Project Settings and select Teams.
Select New Team. Give team name, optionally add description, team members and assign a security group. Note that the user should be a Project Administrator in-order to add a new team.
Select the newly created Team to configure notifications, dashboard, iterations and area path. Additional tasks like adding administrators and team members and configuring team profile can also be done.

Additional team configurations and settings can be explored from Microsoft official documentation here

How to add a repo

Medtronic user having the Create Repository permission in an Azure DevOps Organization can create a repository. This permission is granted by default to all the project administrators.
Navigate to an organization project. Select Repos -> Files.
From the repo dropdown select New Repository.
Enter a name for the new repo, choose to add a README.md file and a gitignore file on repo creation. Note that the repository will be initialized with a main branch by default.
Other ways of creating repositories using IDEs like Visual Studio can be explored from Microsoft official documentation here.

How to apply branch policies

Navigate to the project settings -> Choose repositories
Select the repository under which the branches to apply the policies exist.
Under the policies tab, choose the required branch.
Alternatively, navigate to Repos -> Branches. Select the branch policies from the 'more' option available against a branch name.
Note that user should be added to a permission group having 'Edit Policies' permission.
Turn on the branch policies and select the rules to be applied.
Following are the suggested branch policies that can be applied to all branches (except Feature/*)
- At least 1 or more reviews
- Can't approve your own
- Must have a work item attributed
- Changes reset approvals
- Comments must be resolved