CI/CD Standard — Azure Pipelines¶

v1.0 — 2026-06-06

Structure¶

Multi-stage YAML (Build → Test → Deploy) living next to the code (azure-pipelines.yml); classic (UI) pipelines disabled.
Shared steps via includes templates; org-mandated skeleton (credential scan, mandatory steps) via extends templates in a central pipeline-templates repo.
Every repo's PR pipeline runs: restore → build (warnings as errors) → format check (dotnet format --verify-no-changes / prettier --check + lint) → tests with coverage.
Coverage gate: compare touched-project coverage against the target branch; fail the build if it drops by more than 5 percentage points (see Testing standard).
Performance gate (frontend repos): bundle budgets fail the build (Angular budgets / size-limit); Lighthouse CI on public pages where feasible (see frontend standards).

Secrets via Key Vault-backed variable groups; passed as explicit env vars to steps; never echoed. Fork PR builds get no secrets.
Service connections, agent pools, variable groups require pipeline authorization; production stages deploy to environments with approvals/checks.
Pin task versions; shallow clone; limit job authorization scope to current project.

Database migrations applied as a pipeline step from generated idempotent scripts/bundles (see DB standard) — never by the app.
Artifacts built once, promoted through stages (no rebuild per environment).
Branch-to-environment mapping: merge to staging auto-deploys to staging; merge to production deploys after environment approval; production merges are tagged vX.Y.Z (see Git standard).
Rollback path documented per service; rollback = redeploy the previous production tag.