how to restrict the access on build.yml file from developers in Azure DevOps repository

问题

In Azure DevOps we have created both build and release pipeline using classic way and now we are planning this to convert to yaml file.

But it seems in yaml method, the code can be put only on the root of the repo, where we want to keep the build yaml files in a separate repo, where the developers won't have access.

How can achieve this?

回答1:

You can use templates, put in the main repo only the minimal yalm that refers to a template with all the steps, the template exits in another repo.

For example, your main repo yaml:

resources:
  repositories:
    - repository: templates
      type: git
      name: Contoso/BuildTemplates

jobs:
- template: common.yml@templates  # Template reference

In in the repo: Contoso/BuildTemplates put the full yaml:

# Repo: Contoso/BuildTemplates
# File: common.yml
parameters:
  vmImage: 'ubuntu 16.04'

jobs:
- job: Build
  pool:
    vmImage: ${{ parameters.vmImage }}
  steps:
  - script: npm install
  - script: npm test

Restrict the access to the second repo (unless the agent pipeline user).

Read here more info about the resources.

回答2:

You don't have to keep the YAML files in the root of the repository; ours are in a dedicated sub-folder:

That's crucial, because it means that we can add a PR policy which restricts who can approve changes to any of the pipeline YAML files.

回答3:

I agree that one solution could be the one proposed by @Shayki Abramczyk

but to have standalone *.yml in dedicated repository you can use 'git clone' while using 'Git Credentials' to access the other repository that contains the files you want to build by the pipeline.

If your repository dedicated for *.yml is in the same Azure Devops project then you should not have any problem with the release definition.

Please see example *.yml that works for us as described:

pool:
  vmImage: 'your-preferred-image'

variables:
  solution: '$(Agent.BuildDirectory)/**/YourSolution.sln'
  buildPlatform: 'Any CPU'
  buildConfiguration: 'Debug'
  urlWithCreds: 'https://YourUser:YourPassword@dev.azure.com/YourOrganization/YourProject/
    _git/YourOtherRepository'

steps:
- task: CmdLine@2
  inputs:
    script: |
      git --version
      git clone --quiet $(urlWithCreds)
      git checkout master

- task: VSBuild@1
  inputs:
    solution: '$(solution)'
    msbuildArgs: 'your build args'
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

来源：https://stackoverflow.com/questions/58689979/how-to-restrict-the-access-on-build-yml-file-from-developers-in-azure-devops-rep