Using Release Gates to protect quality in Azure DevOps

Using Release Gates to protect quality in Azure DevOps

Release gates in Azure DevOps enable automated checks to validate deployment quality by integrating key metrics, compliance checks, and performance benchmarks. Below are steps and scenarios to implement release gates that align with specific quality requirements.

1. Key Quality Criteria with Release Gates

1. No New Blocker Issues

What to Check:

Ensure there are no new high-severity or blocker issues associated with the release.

Implementation:

Use the Query Work Items gate to check Azure Boards for unresolved blocker-level issues.

Example Query:

xxxxxxxxxx
3
1
SELECT [State], [Severity]
2
FROM WorkItems
3
WHERE [Severity] = 'Blocker' AND [State] <> 'Closed'

2. Code Coverage on New Code > 80%

What to Check:

Validate that new or modified code has adequate test coverage.

Implementation:

1. Integrate tools like SonarQube or Azure Test Plans.

2. Use the HTTP Check gate to query coverage metrics from the testing or analysis tool.

3. Example: Block deployment if coverage drops below 80%.

4. No License Violations

What to Check:

Ensure that all dependencies comply with organizational licensing policies.

Implementation:

1. Use tools like WhiteSource or Snyk to scan for license issues.

2. Trigger a Custom Azure Function or HTTP Check to validate compliance reports.

3. Example: Block deployment if GPL or unapproved licenses are detected.

4. No Vulnerabilities in Dependencies

What to Check:

Ensure there are no critical or high-severity vulnerabilities in the project's dependencies.

Implementation:

1. Leverage tools like Azure Defender, Snyk, or Dependabot for vulnerability scans.

2. Configure an HTTP Check gate to fetch and validate results.

3. Example: Block deployment if any critical vulnerabilities are found.

4. No New Technical Debt Introduced

What to Check:

Ensure the release does not increase the technical debt.

Implementation:

1. Integrate SonarQube or similar tools to assess technical debt.

2. Use an HTTP Check gate to query metrics and ensure debt remains within acceptable limits.

3. Compliance Checks

What to Check:

Validate adherence to compliance standards, such as security policies or data protection regulations.

Implementation:

1. Integrate tools like ServiceNow or custom compliance solutions.

2. Use HTTP Check or Azure Functions gates to query compliance systems.

3. Example: Block deployment if compliance checks fail.

4. Are There Work Items Linked to the Release?

What to Check:

Ensure the release is linked to the appropriate work items in Azure Boards.

Implementation:

Use the Query Work Items gate to validate that all changes are tied to work items.

Example Query:

xxxxxxxxxx
3
1
SELECT [Id], [State]
2
FROM WorkItems
3
WHERE [LinkedToRelease] = true AND [State] NOT IN ('Closed', 'Resolved')

8. Is the Release Started by Someone Other Than the Code Committer?

What to Check:

Ensure the person initiating the release is different from the one who committed the code (separation of duties).

Implementation:

1. Use custom Azure Functions or scripts to compare the release starter and code committer identities.

2. Example: Block deployment if the same person both commits the code and starts the release.

3. Is the Performance Not Affected After a New Release?

What to Check:

Ensure the release does not degrade system performance.

Implementation:

1. Use Azure Monitor Alerts to track performance metrics like response time, CPU usage, and error rates.

2. Example: Configure a gate to block deployment if response times exceed 10% of baseline metrics.

2. Configuring Release Gates in Azure DevOps

1. Step 1: Create or Edit a Release Pipeline

   • Navigate to Pipelines > Releases in Azure DevOps.

   • Select a pipeline or create a new one with stages.

2. Step 2: Enable Gates

   • Open the Pre-deployment conditions or Post-deployment conditions for a stage.

   • Enable Gates and add the required gate types.

3. Step 3: Configure Gate Types For each quality criterion, configure the appropriate gate type:

   • Query Work Items: Validate blocker issues, linked work items, or compliance-related tasks.

   • HTTP Check: Integrate external tools for code coverage, technical debt, or security scans.

   • Azure Monitor Alerts: Validate performance metrics like response time and error rate.

   • Azure Functions: Add custom logic to validate separation of duties, compliance, or other criteria.

4. Step 4: Set Polling and Timeout Settings

   • Polling Interval: How often the gate checks (e.g., every 5 minutes).

   • Timeout: Maximum time allowed for validation (e.g., 1 hour).

5. Step 5: Save and Test Save the pipeline and test the configuration by triggering a release.

3. Benefits of Using Gates for Quality Assurance

1. Automated Validation: Reduces manual effort while ensuring consistent quality checks.

2. Improved Governance: Enforces compliance, security, and quality standards automatically.

3. Early Issue Detection: Identifies potential issues in early stages of deployment.

4. Reduced Deployment Risks: Prevents faulty releases from progressing to production environments.

Example Workflow with Gates

Pipeline Configuration:

1. Development Stage: No gates for rapid iteration.

2. Staging Stage:

   • Pre-deployment gates:

   • Check for blocker issues.

   • Validate code coverage >80%.

   • Verify no vulnerabilities or license violations.

   • Post-deployment gates:

   • Validate performance metrics against baseline.

3. Production Stage:

   • Pre-deployment gates:

   • Ensure all compliance checks pass.

   • Verify separation of duties.

   • Post-deployment gates:

   • Confirm no performance degradation after deployment.

Summary

Using release gates strategically in Azure DevOps helps ensure high-quality, secure, and reliable releases while enforcing best practices in software delivery.