Azure DevOps has introduced a significant enhancement to its REST API, leading to remarkable improvements in Git policy management. This update has resulted in a 50% reduction in CPU usage and a staggering 10-15 times faster execution times for managing Git policies.
This change is now accessible to all Azure DevOps users and is particularly beneficial for those automating Git policy configurations in Azure Repos through the REST API.
Importance of Git Policies
Git policies are essential for maintaining code quality and preventing unauthorized changes. They establish rules that must be followed before code can be integrated into repositories and protected branches.
Azure Repos features a comprehensive policy engine that allows users to set various rules, including:
- Minimum number of reviewers required
- Specific reviewers for certain code updates
- Credential and secret checks on pushes
Challenges in Policy Management
As the number of products, services, and repositories increases, managing the appropriate Git policies becomes increasingly complex. Human errors can lead to misconfigurations, particularly regarding the behavior of services when follow-up changes are made to approved pull requests. Even with correct initial configurations, manual management often leads to drift over time.
For large enterprises, including Microsoft, which hosts extensive codebases in Azure Repos and GitHub, the REST API is vital for auditing and correcting policy misconfigurations across numerous repositories.
Types of Git Policies
Azure Repos supports two main types of Git policies:
- Push Policies: These govern what can be pushed to repositories, regardless of the branch. For example, pushes containing sensitive information are rejected.
- Branch Policies: These protect specific branches, like
main, requiring all changes to be made through pull requests. They can enforce conditions such as successful builds and passing tests before changes are merged.
Policy Storage and Retrieval
Policies are stored in a logical container at the project level, allowing for cross-repository policies and branch glob patterns. The Scope field indicates where a policy is defined, facilitating the application of policies to specific branches or all branches within a project.
New API Functionality
The recent update to the REST API introduces a new feature that allows users to retrieve all policies applicable to a repository and its branches more efficiently. The GET /_apis/git/policy/configurations endpoint now supports the ~all value for the refName parameter, enabling the retrieval of all relevant branch and push policies.
Performance Improvements
Prior to this enhancement, querying all policies required extensive data processing, leading to significant overhead and slower execution times. With the new functionality, the overall server-side CPU consumption has decreased dramatically, improving efficiency and reducing execution time from thousands of hours to just a fraction of that.
Conclusion
For enterprises with large development teams, automated policy governance is crucial. The new refName=~all feature streamlines this process, enhancing the performance of automation efforts. Utilizing the updated REST API can lead to significant improvements in managing Git policies effectively.
