Edits in existing IaC code should not be allowed. Only new code added to the file is allowed. Edits should either be denied when attempting to edit or at commit. Is this possible? Using Azure DevOps currently.
Asked
Active
Viewed 42 times
0
-
I do not believe this is possible but I would suggest to change your strategy of building. You could work on additional branches, lock your main branch and only merge branches after your review. This would result to an outcome as the one you requested. – GeralexGR Jul 04 '22 at 08:16
-
Yes, but we would like to avoid manual intervention – Hanscastor Jul 04 '22 at 09:52
1 Answers
0
In general, there is no way to effectively do what you're asking. If someone has a repository on their local system, they can make arbitrary changes to it.
It is possible to add pre-commit hooks, but as the Git FAQ mentions, it's trivial to bypass them without notice, and thus they are not an effective control. They can be useful to help users if they'd like, but pre-commit hooks can also be an impediment to more advanced workflows, such as those using fixup commits. Any sort of policy implementation needs to happen on the server, usually in CI.
It is also, in general, difficult to specifically state what is new code and what is a modification of existing code. This requires intimate knowledge about the language, which Git does not have, as well as human judgment. For example, is adding a method to a struct in Rust or a class in C++ modifying existing code or adding new code?
If you want to enforce any sort of policy, whether automated or not, it's best to prevent pushing to the main branch and use some sort of pull request that at least requires a CI job to run. For items, such as your case, which are not trivial, you should enforce code review. Both of these are best practices anyway to avoid mistakes, enforce coding standards, and prevent introduction of malicious code.
bk2204
- 64,793
- 6
- 84
- 100