Azure Devops
Azure DevOps pipeline security, YAML structure, variable management, and deployment patterns
Azure DevOps Pipelines Code Review Rules
Security (Critical)
- Use service connections with minimal permissions
- Store secrets in Variable Groups linked to Key Vault
- Use secure files for certificates/keys
- Enable branch policies for protected branches
- Require approvals for production environments
- Scan pipeline YAML for hardcoded secrets/credentials
- Review inline scripts for command injection, unsafe variable expansion, and commonly exploited patterns
- Consider using static analysis tools for script security
- Avoid echoing secrets in script output
- Use credential scanning tools in PR validation
- Validate compile-time template expressions (
${{ }}) to prevent injection during pipeline parsing; avoid direct user input in template expansion
- Sanitize runtime variables (
$()) before using in scripts to prevent command injection; never interpolate untrusted data into script commands
Variables
${{ }} for compile-time, $() for runtimeDon't hardcode environment-specific valuesFollow naming conventions: use camelCase or UPPER_SNAKE_CASEName Variable Groups clearly (e.g., prod-app-config)Understand variable override precedence (job > stage > root > variable group); see docs for advanced patternsDocument variable purpose in Variable Group descriptionsTask Management (Essential)
- Pin task versions (
task@2 not task)
- Use built-in tasks over script when available
- Explicitly specify agent pool (
pool: vmImage or pool: name)
- Review custom scripts for embedded secrets or insecure code
- Avoid inline scripts for complex logic (use script files)
- Set
continueOnError only when intentional
- Use
condition for conditional execution
- Set task timeouts to prevent hanging jobs
Stages and Jobs
- Use stages for environment progression (dev -> staging -> prod)
- Use deployment jobs for environment deployments
- Define explicit
dependsOn for job ordering
- Use parallel jobs where independent
- Follow naming conventions: use descriptive stage/job names
- Set resource limits (
pool.demands) when needed
- Configure concurrency limits for deployment jobs
- Use meaningful
displayName for stages and jobs
Environments
- Create environments for each deployment target
- Configure approvals and checks on environments
- Use environment variables for environment-specific config
- Track deployments in environment history
Templates
- Extract reusable steps into templates
- Use parameters for template customization
- Store templates in a shared repository
- Version template references
- Document template purpose and parameters
- Validate template compatibility before use
- Handle template inclusion errors gracefully
- Test template changes before merging
- For complex parameter overrides, see Azure DevOps Template Documentation
Best Practices
02
Security (Critical)
CI/CD
Openclaw Parallels Smoke
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.