Use gates and approvals to control your deployment

Azure Pipelines | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018

Note

In Microsoft Team Foundation Server (TFS) 2018 and previous versions, build and release pipelines are called definitions, runs are called builds, service connections are called service endpoints, stages are called environments, and jobs are called phases.

By using a combination of manual deployment approvals, gates, and manual intervention in your release pipeline, you can quickly and easily configure your deployment to meet all the specific pre-deployment requirements for your DevOps CI/CD workflow.

In this tutorial, you will learn about:

  • Pre-deployment gates
  • Manual intervention
  • Manual validation
  • Deployment logs

Prerequisites

Set up gates

You can use gates to ensure that the release pipeline meets specific criteria before deployment without requiring user intervention.

  1. Select Releases, and then select your release pipeline and then Edit to open the pipeline editor.

    Edit the release pipeline

  2. Select the pre-deployment icon for your stage to open the pre-deployment conditions panel, and then select the toggle button to Enable gates.

    Enable gates

  3. Enter the delay time before the added gates are evaluated. This time is to allow gate functions to initialize and stabilize before returning results.

    Gates delay time

  4. Select Add, and then choose the Query Work Items task.

    Adding Query work items task

  5. Select an existing work item query or create your own. Depending on how many work items you expect the query to return, set your maximum and minimum thresholds.

    Configuring the Query Work Items task

  6. Select the Evaluation options section, and then specify the timeout and the sampling interval. The minimum values you can specify are 6-minutes timeout and 5-minutes sampling interval.

    Evaluation options setup

  7. Select Save when you are done.

    Save a release pipeline

Set up manual intervention

Depending on the scenario, sometimes you may need to add manual intervention to your release pipeline. You can do this by adding the Manual Intervention task to your pipeline.

  1. Select your release pipeline, and then select Tasks and choose your stage.

    Stage tasks

  2. Select the ellipses (...) from your stage definition, and then select Add agentless job.

    Add agentless job

    Note

    The Manual Intervention task can only be used in an agentless job.

  3. Drag and drop the agentless job to the start of the deployment process. Select the + sign, and then select Add the Manual Intervention task.

    Add a Manual Intervention task

  4. Configure the task by entering the Instructions to be displayed when it the task is triggered.

    Configure the Manual Intervention task

    You can specify a list of users to be notified when the deployment is pending manual approval. You can also specify a timeout and the action (approve or reject) that occur if no intervention within the timeout period. See the Manual Intervention task for more details.

  5. Select Save when you are done.

Set up manual validation

You can use the manual validation task in your YAML to pause the pipeline run and wait for manual approval. Manual validation is especially useful in scenarios where you want to pause a pipeline and validate configuration settings or build packages before starting a computation-intensive job.

The waitForValidation job pauses the run and triggers a prompt within the Pipeline UI to review and validate the task. The email addresses listed in notifyUsers receive a notification to approve or deny the pipeline run.

Add validation for the pipeline to continue.

pool: 
   vmImage: ubuntu-latest

jobs:
- job: waitForValidation
  displayName: Wait for external validation  
  pool: server    
  timeoutInMinutes: 4320 # job times out in 3 days
  steps:   
   - task: ManualValidation@0
     timeoutInMinutes: 1440 # task times out in 1 day
     inputs:
         notifyUsers: |
            someone@example.com
         instructions: 'Please validate the build configuration and resume'
         onTimeout: 'resume'

View deployment logs

Deployment logs can be very useful when debugging deployment issues. You can also use the logs to audit the run and verify approvals and how they were granted and by whom.

  1. Select Releases, and then select your release pipeline.

    Release summary

  2. This view will show you a live status of each stage in your pipeline. The QA stage in this example is pending intervention. Select Resume.

    Stage pending intervention

  3. Enter your comment, and then select Resume

    Resume task

  4. Return to your release pipeline. The QA stage deployment succeeded and the pre-deployment approvals are triggered for the Production stage.

    Pre-deployment approval triggered for next stage

  5. Select Approve and enter your comment and then select Approve to continue deployment.

    Approve deployment

  6. Return to your release pipeline. The live status indicates that the gates are being processed for the Production stage before the release continues.

    status: processing gates

  7. Return to your release pipeline, and hover over the stage you want to audit and then select Logs to view the logs.

    View logs

Next step