Azure Repos & branch policies

Pull requests, protected main, hygiene.

Beginner30 min · lesson 4 of 15

Source control is where delivery begins. Azure Repos provides Git repositories with the collaboration and protection features — pull requests and branch policies — that make team development safe and reviewable.

Pull requests and branch policies

Azure Repos hosts Git repositories where developers collaborate through pull requests: a PR proposes merging a branch into a target (usually main), triggers review, and runs policy checks before the code can land. Branch policies on the protected main branch enforce quality gates — require a minimum number of reviewers, a passing CI build, linked work items, and resolved comments before merge, and block direct pushes. This is the core safety mechanism: no code reaches main without review and a green build, so the mainline stays healthy. The policies turn good intentions ("we review code") into enforced rules the tooling guarantees, which is essential as a team grows.

branch policies protect main
# On main, require before merge:
# ✓ minimum 2 reviewers approve the pull request
# ✓ CI build passes (build validation policy)
# ✓ linked work items + resolved comments
# ✗ no direct pushes to main — everything goes through a PR
#
# Result: the mainline is always reviewed, built, and tested.
# A change that breaks the build simply cannot be merged.

Version-control hygiene

Good practices keep the repository healthy and secure. Protect main with policies, keep pull requests small and frequent for easier review, and never commit secrets — a leaked credential in git history is compromised even after deletion, so use secret scanning and .gitignore, and store real secrets in Key Vault. Link commits and PRs to work items (Azure Boards) for traceability from requirement to code to deployment, valuable for audit and reporting. The branching model matters too: short-lived branches merged frequently keep integration painless, while long-lived feature branches cause difficult merges. These habits — protected mainline, reviewed changes, no secrets, small commits, traceability — are the foundation of collaborative, auditable delivery that the rest of the DevOps pipeline builds on.

Safe source control
protect the mainline
branch policies
reviewers + build + no direct push
pull requests
review before merge
hygiene
no secrets in history
scan + Key Vault
link to work items
requirement-to-deploy traceability
Protect main with policies, review every change via PR, keep secrets out of history, and link work for traceability.
A secret committed to git is compromised — even after deletion
Removing a leaked credential in a later commit does not help: it remains in git history, which is cloned and cached everywhere. Assume any committed secret is compromised — rotate it immediately, purge history, and prevent recurrence with secret scanning and Key Vault so real secrets never enter the repo.