Azure-docs: Is There a Way to Integrate ACR Task with Build in Azure DevOps? Or Trigger a Build in Azure DevOps?

Hi @denhsu Thank you for your feedback! We will review and update as appropriate.

@denhsu I will check with the internal teams and let you know.
Currently only ACR tasks is capable of rebuilding when the base image changes.

Thanks for reply! @jakaruna-MSFT

We inject our security scanning into our Azure DevOps CI Build pipeline when we build the application container image, therefore, it would be nice if ACR Tasks can create a webhook back to Azure DevOps to trigger the build pipeline.

@jakaruna-MSFT

I just think of one work around, but don't think it would work. Please comment if you have any a suggestion.

When ACR task detects an base image change and trigger a rebuild, then pushes the new image into ACR. I am trying to setup a webhook in ACR (when new image is pushed to ACR) to auto trigger our build in Azure DevOps to rebuild, push image to ACR, then CD deployment to our app service or kubernetes.

but when Azure DevOps pushes the new image to ACR, the webhook might get trigger again, then it might called Azure DevOps to rebuild. It might be an infinite loop between ACR and Azure DevOps.

@denhsu Infinite loop possibility is there. Lets look for a way to stop it.

@jakaruna-MSFT

Any update from your side? We might be able to trigger our security scan in Azure DevOps release pipeline.

We have our application image store in ACR and it uses Microsoft official image "microsoft/aspnet:4.7.1-windowsservercore-ltsc2016" from https://hub.docker.com/_/microsoft-dotnet-framework-aspnet?tab=description.

Can you provide an example/tutorial on how to use ACR Tasks to setup an application rebuild when base image is updated from official Docker Hub?

Thanks,
Dennis

@denhsu Trigerring for base image update is done by adding an extra flag during the azure task creation.
flag is --base-image-trigger-enabled True
Once this is done, ACR task finds the base image for the task after first run and register's the webhook.
For private repos we can add webhook easily. But for public repos (which we do not own), I dont know the way to add webhooks.

If we find that way to add webhooks to public repos, Then we can trigger the Azure Devops Ci from that webhook. I will check with the team and let you know about that

Link for more info.

@dlepow Please add your comments regarding the webhooks.

@denhsu Got a workaround to your specific problem.
We can have two tasks.

• Task which has a dummy docker file with only base image in it with the --base-image-trigger-enabled True. So that task will build automatically when the base image changes. Once the task is ran, It would have build the dummy image and updated to the ACR. In ACR for that dummy image you can add a webhook to trigger the actual Azure devops pipeline.
• This task has the actual applications docker file with --base-image-trigger-enabled False. You can call this task from the azure devops when a code push happens in the git repo or triggered via a webhook from task 1.

By this way we can avoid the infinite loop and also we will get notified when the base image changes.

Let me know your comments.

cc:/ @northtyphoon

@jakaruna-MSFT Thanks for the work around!

One question, for acr task #1, and create a dummy docker file with only base image in it with --base-image-trigger-enabled True. Will this work with image from public repo? for example. we uses Microsoft official image "microsoft/aspnet:4.7.1-windowsservercore-ltsc2016" from https://hub.docker.com/_/microsoft-dotnet-framework-aspnet?tab=description.

Once again, thanks for the work around, we will try this out!

@denhsu Got a workaround to your specific problem.
We can have two tasks.

* Task which has a dummy docker file with only base image in it with the `--base-image-trigger-enabled True`. So that task will build automatically when the base image changes. Once the task is ran, It would have build the dummy image and updated to the ACR. In ACR for that dummy image you can add a  webhook to trigger the actual Azure devops pipeline.

* This task has the actual applications docker file with `--base-image-trigger-enabled False`. You can call this task from the azure devops when a code push happens in the git repo or triggered via a webhook from task 1.

By this way we can avoid the infinite loop and also we will get notified when the base image changes.

Let me know your comments.

@denhsu I didn't tried that yet. But document says that it works with public images as well. So it should work. Link here.

Try that work around and and open a new issue if you face any issues.

I will close this out for now. Please open a new issue or a MSDN thread if the issue is not related to doc improvement.

thanks @jakaruna-MSFT