in Azure Devops pipeline how to if the git commit tag is from master branch only

1
votes

Case: I have a azure Devops pipeline which deploys code to PRODDUCTION. It takes tag name (tag created by developer on master branch commit) as input, so that it can deploy only that specific version of code from master branch. This pipeline is set as no auto trigger, developers tag the commit in master branch & given that tag name to operation team to enter it as run time parameter (input to the pipeline)

I check out code using checkout steps with in deploy job of azure devops pipeline.

    deploy:
      steps:
      - checkout: git://MY_PROJECT/MY_REPO@refs/tags/${{variables.tag_name}}

Query: How to assure (before deployment) that this tag is from master branch only and not from other non-master branches. (developers can create tag on master branch also)

I know we can use script like 'git commit --contains' & 'git describe' but how can we handle it efficiently any suggestion and best practices around this.

2
azure-devopsazure-pipelines

2 Answers

1
votes

have you tried :

trigger:
- master

You can also use a powershell step to control the source branch of the artifact linked in that release with the "Build.SourceBranch" system variable

0
votes

I ran into the exact same issue. I solved it by adding following check as the first step in the deployment pipeline.

steps:
  - checkout: self
    clean: true
    persistCredentials: true
  - bash: |
      set -e

      COMMIT_ID=$(Build.SourceVersion)
      BRANCH=master

      git checkout $BRANCH

      RES=$(git branch --contains $COMMIT_ID)

      if [[ -z $RES ]]; then
        exit 1
      fi

      exit 0
    condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/')

Basically we check that the tagged commit is on the master branch. If not the deployment pipeline fails at this point without ever deploying the tagged version of the code.