git - How do I ensure that only a specific branch is checked out by the Azure DevOps CI agent? - Stack Overflow

admin管理员组

文章数量:1122832

I'd like to know whether some of this YAML code is overkill, specifically the lines 17-20 (marked with comments in capital letters).

What I am trying to do is ensure that the branch that is checked out when the pipeline runs automatically is the 'dev' branch.

I have read that if the dev branch is specified as the trigger (as it is; look at the lines 0-3), the Azure DevOps agent will checkout the dev branch and run the operations in the pipeline on source code from the dev branch.

But is this actually true? Is it correct to enforce that the dev branch is checked out as I have in this sample? What is the best approach to ensuring that only a certain branch is checked out by the Azure DevOps agent?

trigger:
  branches:
    include:
      - dev

variables:
  backendBuildTag: $(Build.BuildId)

pool:
  name: examplepool

stages:
  - stage: BuildBackend 
    jobs:
    - job: BuildBackendJob
      steps:
        - checkout: self # LOOK AT THIS LINE
        - script: |
            git fetch origin dev # LOOK AT THIS LINE
            git checkout dev # LOOK AT THIS LINE

        - task: Docker@2
          inputs:
            containerRegistry: 'nhschristie'
            repository: 'backend'
            command: 'buildAndPush'
            Dockerfile: '**/backend/Dockerfile'
            buildContext: '**'
            tags: |
              $(backendBuildTag)

I did some reading around this topic and it seems that it is safe to remove the following from the YAML:

 - checkout: self
 - script: |
     git fetch origin dev
     git checkout dev

I'd like to know whether some of this YAML code is overkill, specifically the lines 17-20 (marked with comments in capital letters).

What I am trying to do is ensure that the branch that is checked out when the pipeline runs automatically is the 'dev' branch.

I have read that if the dev branch is specified as the trigger (as it is; look at the lines 0-3), the Azure DevOps agent will checkout the dev branch and run the operations in the pipeline on source code from the dev branch.

But is this actually true? Is it correct to enforce that the dev branch is checked out as I have in this sample? What is the best approach to ensuring that only a certain branch is checked out by the Azure DevOps agent?

trigger:
  branches:
    include:
      - dev

variables:
  backendBuildTag: $(Build.BuildId)

pool:
  name: examplepool

stages:
  - stage: BuildBackend 
    jobs:
    - job: BuildBackendJob
      steps:
        - checkout: self # LOOK AT THIS LINE
        - script: |
            git fetch origin dev # LOOK AT THIS LINE
            git checkout dev # LOOK AT THIS LINE

        - task: Docker@2
          inputs:
            containerRegistry: 'nhschristie'
            repository: 'backend'
            command: 'buildAndPush'
            Dockerfile: '**/backend/Dockerfile'
            buildContext: '**'
            tags: |
              $(backendBuildTag)

I did some reading around this topic and it seems that it is safe to remove the following from the YAML:

 - checkout: self
 - script: |
     git fetch origin dev
     git checkout dev

• git
• azure-devops
• continuous-integration
• azure-pipelines
• azure-pipelines-yaml

Share Improve this question Follow edited Nov 21, 2024 at 22:47 Rui Jarimba 17.4k1111 gold badges6464 silver badges9797 bronze badges asked Nov 21, 2024 at 16:45 user28418204user28418204 1

• One simple way to confirm would be to remove the checkout part, and replace your script with a command that prints out the current branch name, like this: git branch --show-current and then try to trigger it from different branches and see what happens. – TTT Commented Nov 22, 2024 at 4:37

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 0

According to steps.checkout definition, if no checkout step is defined, the default behavior is use checkout: self as the first step, and the current repository is checked out.

In Choose a repository to build, it mentions the repository in which the YAML file is present is called self repository. By default, this is the repository that your pipeline builds.

When you specify the dev branch as the CI trigger, the pipeline will run whenever you push an update to the dev branch. It ensures that the Azure DevOps agent will only check out the dev branch and run the pipeline on the source code from dev branch when the pipeline is triggered by the CI trigger.

trigger:
  branches:
    include:
      - dev

Therefore, the checkout: self and the git fetch and git checkout commands are indeed redundant and can be safely removed. The Azure DevOps agent will automatically check out the dev branch as specified in the trigger.

Your code should work fine when the pipeline is triggered (using checkout: self), but it won't prevent users from running the pipeline manually with another branch.

You can use the following syntax to checkout a specific branch:

- checkout: git://MyProject/MyRepo@dev # checks out the dev branch
- checkout: git://MyProject/MyRepo@refs/heads/dev # also checks out the dev branch

Or, as an alternative, use a repository resource:

resources:
  repositories:
    - repository: currentRepository # The name used to reference this repository in the checkout step
      type: git
      ref: dev # branch name
      name: myrepository

steps:
  - checkout: currentRepository

You must use a repository resource if your repository type requires a service connection (Azure Repos Git repository in another organization, GitHub, and Bitbucket Cloud repository).

Recommended reading:

• Checking out a specific ref
• checkout definition
• repository resource

本文标签： gitHow do I ensure that only a specific branch is checked out by the Azure DevOps CI agentStack Overflow