54

We have branch policies set up in VSTS to prevent pull requests being merged into master unless a build passes and work items are linked. However, I can't work out how to prevent developers pushing directly to master. Setting the "Contribute" permission to Deny does not allow pull requests to be merged.

All developers should be allowed to merge PRs into master but none should be permitted to push directly to master. Is this possible?

David H
  • 912
  • 1
  • 8
  • 9

3 Answers3

70

Branch policies already do exactly what you're saying. When a branch policy is in place, PRs are required.

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

Kyll
  • 7,036
  • 7
  • 41
  • 64
Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
  • 1
    can you elaborate on how this works on a local repo using pure Git? Presumably a user can do anything to their own local version of the master branch, but then Azure DevOps would deny the push to the remote? If/when that happens, what would the dev need to do to undo the mess they've gotten into on their local repo? – theyetiman Jan 29 '19 at 15:24
  • Where should we look to see if developers have the "Exempt From Policy Enforcement" permission? We have pull requests enforced in our master branch's policies but have just found that developers can still commit and push directly to master. – dumbledad Apr 04 '19 at 09:56
  • 5
    This is a broader answer and it does not solve the question. Which exact branch policy we need to set? – Blue Clouds Jan 14 '21 at 06:33
  • 1
    I was asking myself the same things as above. After looking carefully to the link, I saw the following Q&A section that made it clear to me. Any required branch policy will make it impossible to directly push. I did not try changing the options anyway. https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops&tabs=browser#can-i-push-changes-directly-to-a-branch-after-a-branch-policy-is-configured – JoaoRibeiro Nov 12 '21 at 11:06
27

I do not have reputation points to comment in a answer, so I will post a new one here.

When you set your master branch policy to Require a minimum number of reviewers, the master branch automatically will be protected. You will not be able to push any commits. In order to make any changes, you will need to create a new branch, and create a pull request to merge the modifications.

William Becher
  • 396
  • 4
  • 8
16

I know this question is a bit older but here is some additional information...
Unfortunately I cannot add comments to the "best answer" so here is a new one, you may just treat it as a comment:

Branch policies already do exactly what you're saying. When a branch policy is in place, PRs are required.

100 % agree

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

100 % agree

Exempt From Policy Enforcement

Where should we look to see if developers have the "Exempt From Policy Enforcement" permission?

From learn.microsoft.com:

There are several permissions that allow users to bypass branch policy. In TFS 2015 through TFS 2018 Update 2, the Exempt from policy enforcement permission allows users with this permission to perform the following actions:

  • When completing a pull request, opt-in to override policies and complete a pull request even if the current set of branch policies is not satisfied.
  • Push directly to a branch even if that branch has branch policies set. Note that when a user with this permission makes a push that would override branch policy, the push automatically bypasses branch policy with no opt-in step or warning.

In Azure DevOps Services, the Exempt from policy enforcement permission is removed and its functionality divided into the following two new permissions:

  • Bypass policies when completing pull requests
  • Bypass policies when pushing

Users that previously had Exempt from policy enforcement enabled now have the two new permissions enabled instead.

You can find these options under:
organization / project / Settings / Repositories

Local Git

Presumably a user can do anything to their own local version of the master branch, but then Azure DevOps would deny the push to the remote? If/when that happens, what would the dev need to do to undo the mess they've gotten into on their local repo?

This is the case because the Branch policies in Azure DevOps are not let's call it "vanilla-git". It's a Microsoft specific extension which has nothing to do with your user's local git branches. Therefor a user can do to his local git repo whatever he wants to - DevOps just prevents some stuff "server-sided".

About the question how a dev can undo the mess: I recommend this SO question.

Jonas
  • 305
  • 2
  • 16