Let's consider this example scenario, where I have 2 Azure DevOps projects with following repositories:
Platform (Project)
templates (Repository)
Product-A (project)
workload (Repository)
fake-templates (Repository)
The intention is Platform team provides some "secure/trusted" templates to the product teams and enforces the templates to be extended via Required Template Check feature.
With that in mind, I wanted to setup approvals and check policy (based on Required Template check). Therefore, I navigate:
This works - as expected.
However, if I now modify the YAML with the following:
resources:
repositories:
- repository: templates
type: git
name: Product-A/fake-templates ## Notice, here I am pointing to a template that shouldn't be allowed
extends:
template: unsafe-template.yml@templates
parameters:
yesNo: false
This would work too - without any complaints. This must be a bug/fault.
This behavior clearly not what is described in the documents. The approval checks on Agent pool serves no purposes if anybody can just avoid/bypass the required template check completely with an altered YAML file.
Let's consider this example scenario, where I have 2 Azure DevOps projects with following repositories:
The intention is Platform team provides some "secure/trusted" templates to the product teams and enforces the templates to be extended via Required Template Check feature.
With that in mind, I wanted to setup approvals and check policy (based on Required Template check). Therefore, I navigate:
Create a Required YAML template policy with following configurations:
Azure Repos
Platform/templates
refs/heads/master
template.yml
Next, I create a pipeline for
workload
repository inProduct-A
project, here's the YAML:This works - as expected. However, if I now modify the YAML with the following:
This would work too - without any complaints. This must be a bug/fault.
This behavior clearly not what is described in the documents. The approval checks on Agent pool serves no purposes if anybody can just avoid/bypass the required template check completely with an altered YAML file.