Required Template check feature behaves incorrectly

[MoimHossain]

Let's consider this example scenario, where I have 2 Azure DevOps projects with following repositories:

• Platform (Project)
  • templates (Repository)
• Product-A (project)
  • workload (Repository)
  • fake-templates (Repository)

The intention is Platform team provides some "secure/trusted" templates to the product teams and enforces the templates to be extended via Required Template Check feature.

With that in mind, I wanted to setup approvals and check policy (based on Required Template check). Therefore, I navigate:

Product-A > Project settings > Agent Pools > Azure Pipelines > Approvals and checks (from top-right menu)

Create a Required YAML template policy with following configurations:

• Repository Host: Azure Repos
• Repository : Platform/templates
• Ref: refs/heads/master
• Path to template: template.yml

Next, I create a pipeline for workload repository in Product-A project, here's the YAML:

resources:
  repositories:
    - repository: templates
      type: git      
      name: Platform/templates
extends:
  template: template.yml@templates
  parameters:
      yesNo: false 

This works - as expected. However, if I now modify the YAML with the following:

resources:
  repositories:
    - repository: templates
      type: git      
      name: Product-A/fake-templates  ## Notice, here I am pointing to a template that shouldn't be allowed
extends:
  template: unsafe-template.yml@templates
  parameters:
      yesNo: false 

This would work too - without any complaints. This must be a bug/fault.

This behavior clearly not what is described in the documents. The approval checks on Agent pool serves no purposes if anybody can just avoid/bypass the required template check completely with an altered YAML file.

[MoimHossain]

Just figured, it's a wrong repo for the issue. closing it.