You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/ci-cd/azure-devops.md
+43-10Lines changed: 43 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -65,7 +65,7 @@ flowchart TD
65
65
J --> L[Log: create a pull request]
66
66
```
67
67
68
-
1.**Node.js setup** — Installs Node.js 22.x via `NodeTool@0`
68
+
1.**Node.js setup** — Installs Node.js 22.x via `UseNode@1`
69
69
2.**Install dependencies** — Runs `npm ci`
70
70
3.**Run extract** — Executes `apiops extract` via `AzureCLI@2` task, authenticating through the service connection
71
71
4.**Publish artifacts** — Uploads the artifact directory as a pipeline artifact named `apim-artifacts`
@@ -127,24 +127,26 @@ The pipeline runs automatically when changes to artifact files or configuration
127
127
| Parameter | Type | Default | Description |
128
128
|-----------|------|---------|-------------|
129
129
| `COMMIT_ID_CHOICE` | string | `publish-artifacts-in-last-commit` | Choose `publish-artifacts-in-last-commit` for incremental publish, or `publish-all-artifacts-in-repo` for a full publish |
130
-
| `ENVIRONMENT` | string | `all` | Which environment to publish to: `all`, `dev`, or `prod` |
130
+
| `ENVIRONMENT` | string | `dev` | Which environment to publish to (for example `dev` or `prod`) |
131
131
132
132
### Multi-Stage Deployment
133
133
134
-
The pipeline generates one stage per environment. Stages run sequentially — each stage depends on the previous:
134
+
The pipeline generates one stage per environment. The selected stage runs based on the `ENVIRONMENT` parameter.
135
135
136
136
```mermaid
137
137
flowchart LR
138
-
A[Publish_dev] --> B[Publish_prod]
138
+
A[ENVIRONMENT=dev] --> B[Publish_dev]
139
+
C[ENVIRONMENT=prod] --> D[Publish_prod]
139
140
```
140
141
141
142
Each stage:
142
143
143
-
1. **Conditionally runs** — Only executes if the `ENVIRONMENT` parameter matches the stage name or is `all`
144
+
1. **Conditionally runs** — Only executes when the `ENVIRONMENT` parameter matches the stage name
144
145
2. **Uses a deployment job** — Wraps the publish step in a `deployment` job targeting an [Azure DevOps environment](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/environments) for approval gates
145
146
3. **Loads per-environment variables** — Each stage uses its own variable group (`apim-dev`, `apim-prod`)
146
147
4. **Authenticates per-environment** — Uses environment-specific service connections (`AZURE_SERVICE_CONNECTION_DEV`, `AZURE_SERVICE_CONNECTION_PROD`)
@@ -293,6 +295,35 @@ In your `package.json`, pin to a specific version:
293
295
}
294
296
```
295
297
298
+
### Using Token Substitution
299
+
300
+
To replace `{#[TOKEN_NAME]#}` placeholders in `configuration.<env>.yaml` with secret variable values:
301
+
302
+
1. **Install the [Replace Tokens extension](https://marketplace.visualstudio.com/items?itemName=qetza.replacetokens)** in your Azure DevOps organization (if not already installed).
303
+
304
+
You can do this via CLI:
305
+
```bash
306
+
az devops extension install --publisher-id qetza --extension-id replacetokens
307
+
```
308
+
309
+
2. **Add secret variables** to the `apim-<env>` variable group. See the Azure DevOps documentation for [adding variables to a variable group](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups) and [marking variables as secret](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables).
310
+
311
+
For example, to substitute `{#[BACKEND_URL]#}` in your configuration file:
312
+
313
+
`configuration.prod.yaml`:
314
+
```yaml
315
+
backends:
316
+
- name: my-backend
317
+
properties:
318
+
url: "{#[BACKEND_URL]#}"
319
+
```
320
+
321
+
Add `BACKEND_URL` as a secret variable in the `apim-prod` variable group with the actual backend URL as the value.
322
+
323
+
3. The substitution step runs automatically before publish.
324
+
325
+
See the [Token Substitution Guide](../guides/token-substitution.md) for full details, including migration from APIOps Toolkit.
326
+
296
327
---
297
328
298
329
## Troubleshooting
@@ -301,20 +332,22 @@ In your `package.json`, pin to a specific version:
301
332
|---------|-------|-----|
302
333
| `AzureCLI@2` fails with "service connection not found" | Variable group not linked or variable name mismatch | Verify the variable group is linked to the pipeline and `AZURE_SERVICE_CONNECTION` is defined |
303
334
| Extract shows "No changes to commit" | APIM config hasn't changed since last extract | Expected behavior — no branch is created |
304
-
| Publish stage is skipped | `ENVIRONMENT` parameter doesn't match the stage | Set `ENVIRONMENT` to `all` or the specific stage name |
335
+
| Publish stage is skipped | `ENVIRONMENT` parameter doesn't match the stage | Set `ENVIRONMENT` to the specific stage name (for example `dev` or `prod`) |
305
336
| `npm ci` fails | `package.json` or `package-lock.json` missing | Run `apiops init` to generate project files, then commit them |
306
337
| "publish-all-artifacts-in-repo" deploys everything | Expected — this mode publishes all artifacts, ignoring git diff | Use `publish-artifacts-in-last-commit` (default) for incremental |
| Run is stuck with "This pipeline needs permission to access a resource" | Environment resource isn't authorized for pipeline use | Authorize the environment in Azure DevOps or run the prompt step that PATCHes `pipelinePermissions/environment/{id}` with `{"allPipelines":{"authorized":true}}` |
308
340
| `--subscription-id` error | `AZURE_SUBSCRIPTION_ID` not set in variable group | Add it to the relevant variable group |
309
341
310
342
---
311
343
312
-
## Related
344
+
## Further Reading
313
345
314
346
- [GitHub Actions Integration](github-actions.md) — alternative CI/CD platform
Copy file name to clipboardExpand all lines: docs/ci-cd/github-actions.md
+21-1Lines changed: 21 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -100,7 +100,8 @@ The workflow runs automatically when changes are pushed to `main` in these paths
100
100
1. **Resolves the commit ID** — captures `GITHUB_SHA` for incremental publish.
101
101
2. **Checks out the repository** with `fetch-depth: 2` (needed for git diff).
102
102
3. **Authenticates with Azure** using OIDC federated credentials.
103
-
4. **Runs `apiops publish`** in one of two modes:
103
+
4. **Substitutes tokens** — replaces `{#[TOKEN_NAME]#}` placeholders in `configuration.<env>.yaml` with pipeline secret values.
104
+
5. **Runs `apiops publish`** in one of two modes:
104
105
- **Incremental** (default): uses `--commit-id` to publish only changed files.
105
106
- **Full**: publishes all artifacts in the repository (useful for recovery or initial setup).
106
107
@@ -212,6 +213,24 @@ Use GitHub environment protection rules for production deployments:
212
213
213
214
The publish workflow will pause and wait for approval before deploying to prod.
214
215
216
+
### Using Token Substitution
217
+
218
+
To replace `{#[TOKEN_NAME]#}` placeholders in your configuration YAML with pipeline secrets, add the secret mappings to the `env:` block of the generated substitution step:
219
+
220
+
```yaml
221
+
- name: Substitute tokens in configuration.prod.yaml
222
+
uses: cschleiden/replace-tokens@v1.3
223
+
with:
224
+
tokenPrefix: '{#['
225
+
tokenSuffix: ']#}'
226
+
files: '["configuration.prod.yaml"]'
227
+
env:
228
+
MY_SECRET: ${{ secrets.MY_SECRET }}
229
+
BACKEND_URL: ${{ secrets.BACKEND_URL }}
230
+
```
231
+
232
+
See the [Token Substitution Guide](../guides/token-substitution.md) for full details, including migration from APIOps Toolkit.
233
+
215
234
### Adding Environment Overrides
216
235
217
236
To use [environment-specific overrides](../guides/environment-overrides.md), add the `--overrides` flag to the publish step in the workflow:
@@ -271,4 +290,5 @@ For authentication issues, see the [Authentication Guide](../guides/authenticati
271
290
272
291
- [Authentication Guide](../guides/authentication.md) — all auth methods and RBAC roles
0 commit comments