Protect Azure Pipeline Yaml File from Being Edited

Question

Currently storing our pipeline YAML files in our git repo in Azure Devops - trying to find a way to restrict certain users from editting/accessing the YAML file or even possibly a folder that contains the YAML file.

We want to implement additional security to prevent our developers from modifying our YAML files to potential exploit sensitive information or make changes that we don't approve (We have a PR policy in place, but would like additional security measures).

Ideally - we could setup a group in azure - add members, and only those members would be able to modify files inside a specific repo folder that contains our YAML file - not sure if this is possible.

Answer 1

You can create a repo policy that prevents pushes to the YAML folder/files.

Go to Project settings => Repos => Repositories => Policies:

And give Bypass policies permissions to a specific group that will have permission to edit the YAML:

Answer 2

As far as i know, there's no such existing security setting that prevent specific members from modifying specific files or folders.

However, you can lock the master branch and then set branch policies for specific files like yml files or specific folders.

Please check this thread Can we lock a file in Azure DevOps? and follow the steps.

The main point is to set "For pull requests affecting these folders" value in "Automatically include reviewers" in "Branch policies".

In this case, all changes to the master branch will need pull request and the change to the yml files will need reviewers to prove it.