Azure-devops-docs: Approvals and Gates for Multi-Stage Pipelines

@shashban

Looking for this just now as well. Need this to be able to use the multi-stage YAML for production stages.

I'm looking for some guidance as well. Your help is greatly appreciated!

Approvals and gates are currently not available in the preview for multi-stage YAML pipelines.
We're actively working on adding this support and should have it in place soon.
We'll keep you informed about its availability through the release notes.

+1, this is a blocker to us switching from classic releases.

+1, likewise, checks and balances, SDLC audit support, etc. Is there a link to track the progress on this?

Approvals are now supported in multi stage YAML pipelines.

Thank you for getting this supported. Is there a way to define approvals in the YAML itself or through and API/CLI command?

No plans to add approvals in YAML. However, we do plan to support configuring approvals on various resources for example, service connections, variable groups, agent pools etc.

By API/CLI if you mean can you configure approvals on resources? yes, it should be possible to do so at some point in future.

@RoopeshNair So, moving forward... there's no chance of ADO maintaining parity between the functionality provided in the * web UI* (which for whatever reason seems to receive features and enhancements first, despite the name of the offering being DevOps), API, YAML, and CLI?

Sounds like a major design flaw (oversight) to me.

@mbeacom - Not really.

• YAML pipeline is still in preview, we are adding a ton of improvements to it. Even in preview, YAML pipeline supports features that * web ui* pipelines doesn't. For example, Environments is exclusive to YAML, parallel jobs, job outputs, templating etc. are YAML only features.

• Approvals not being in YAML is a change in our design/approach based on the feedbacks.

• Regarding API/CLI availability, I said future, as there is chance that they may change considering service is in preview. Our UI uses the same APIs, so in theory the APIs are available

@RoopeshNair - First off, thanks for your quick response!
I'm a bit confused about the causation for such differences between provisioning approaches.

Why would there be such drift between the various mechanisms of creating or altering pipelines?

Where should we submit feedback about the lack of parity between all of these separate avenues of establishing pipelines?

* Approvals not being in YAML is a change in our design/approach based on the feedbacks.

@RoopeshNair - I get that some people would want to be able to protect at a higher level, but others would probably want the whole pipeline to be expressed in a single document.

My feedback would be that you should consider putting the definition in the pipeline YAML, while also ensuring that sufficient controls exist around who can update the pipeline. I would argue that this is better than keeping important parts of the pipeline out of both the context and view of pipeline designers.

Or expose both pipeline and resource controls, so you can have approvals for protecting resources and code review/QA purposes.

Approvals not being in YAML is a change in our design/approach based on the feedbacks.

I would love to know where I can submit such feedback. I feel strongly about supporting all of these features in YAML. My team supports multiple independent apps, each of which deploys to many environments. Manually clicking around to configure approvals in release templates is incredibly painful today. I had hoped this would change with multi-stage pipelines.

@twarnock As Roopesh correctly said, we are considering approvals at a higher level, controlled by infrastructure admins and kept beyond devs. It keeps accidental removal of approvals out of reach, and automatically gives segregation of roles.
We understand there are additional requirements where engineers seek manual validations from their peers. These are not in purview of compliance and can be controlled by devs. For these scenarios, we'll extend manual intervention and include in the yaml files.

@alexeldieb you can submit feedback using developer community or stack overflow.
We have REST APIs to help bulk configure Approvals on multiple environments. We'll look at simplifying this is due course by having a shareable control.
Feel free to reach out to us using the support mechanisms or at [email protected] and we can discuss further.

Is there some workaround to work with approvals in YAML script?? , for example Enviroments, Git Repo triggers or Splitting YAML files ? ,another options ?

Approvals are now supported in multi stage YAML pipelines.

How about Gates? Do you know when they will be supported in Yaml Pipelines? Or is the case that Gates can and should be achieved with a combination of additional Stages/Jobs/Steps and Conditions?

How about Gates? Do you know when they will be supported in Yaml Pipelines? Or is the case that Gates can and should be achieved with a combination of additional Stages/Jobs/Steps and Conditions?

Gates will be supported in Yaml Pipelines in two phases. In Phase 1, we'll add pre-deployment gates as a sibling for approvals. You'll see these incrementally get added over the next 10-12 weeks.
In phase 2, we'll extend these to be included in the deployment workflow as a first class concept. This will take us longer.

@shashban is there anywhere I can track the progress of Gates? This issue is closed.

We will keep announcements on that through release notes and doc upsates. Keep an eye on those.

For those of you still following this...
https://dev.azure.com/mseng/AzureDevOpsRoadmap/_workitems/edit/1570285

@mbeacom >

@RoopeshNair - First off, thanks for your quick response!
I'm a bit confused about the causation for such differences between provisioning approaches.

Why would there be such drift between the various mechanisms of creating or altering pipelines?

Where should we submit feedback about the lack of parity between all of these separate avenues of establishing pipelines?

Yaml brings compliance issues as anyone can remove approvals, so the difference in approaches makes sense. For you the only requirement is what your job wants to do right now. But the creators of the framework there are other challenges.
And for the solution to problem at hand: use environment in pipeline. And on environment add manual trigger(visual through portal).

environment: 'smarthotel-dev'

And another solution would be... it is copy paste in one large file with stages, after all. Why can't these texts be split into separate YAML files. No CI on higher envs. Dev could still do CI on 'its YAML.
PS: when using/changing Jobs to Environment Jobs, make sure to add a step to check out source.

Some checks are missing in the YAML section. I have a servicenow plugin installed for my organization. The service now change management task is vivible in the release pipeline gate as shown below:

But this task is missing from the environment checks task:

Is anyone aware of this issue or has a soultion for this?

@amrut057 I'm looking for this just now as well. We would like to use Service Now -connector with the YAML pipeline too..

@RoopeshNair @shashban, regarding the issue posted above, do we have any solution for integrating service wow with yaml pipeline.

@shashban for Service Now checks plan

Some checks are missing in the YAML section. I have a servicenow plugin installed for my organization. The service now change management task is vivible in the release pipeline gate as shown below:

But this task is missing from the environment checks task:

Is anyone aware of this issue or has a soultion for this?

I am looking for this too

I have now created a feature suggestion here https://developercommunity.visualstudio.com/content/idea/1048481/some-checks-servicenow-integration-are-missing-in.html if that helps to push this requirement further.

Guys. Is it possible to make post-stage approve like it was in classic mode? (look at https://github.com/MicrosoftDocs/azure-devops-docs/issues/8584). I guess no one is moving in that way, right? I already posted possible problem that may occur in real world production, but here is still no solution.

What we ended up doing is using pre-environment approvals. We can configure many in sequence. So we have for example staging environment after qa. So we configure approvals on staging environment to be qa group, then staging admin group.

What we ended up doing is using pre-environment approvals. We can configure many in sequence. So we have for example staging environment after qa. So we configure approvals on staging environment to be qa group, then staging admin group.

Oh, sounds awkward. Like fake stage just for approval. I thought about it, but didn't want to implement such approach. Today was just another case when our application after test stage was instantly installed to preprod by admins (owners of this stage) without approving from test team. He just saw "pending approval" and approved it.

We don't exactly have a fake stage. Simply multiple approvals required for our preprod stage. Before preprod admins even receive a notification, qa must give their approval for the preprod environment (basically saying qa phase is done).

You mean this? Never tried, but how to control order?

Yep. That's it. Order is controlled by the order in the "Approvers" field.

Yep. That's it. Order is controlled by the order in the "Approvers" field.

Thank you for that tip. I will try it.