General availability of Team automation rules and improved AB# validation

We're excited to announce that improved AB# validation by the Azure Boards App in GitHub and Team Automation rules are generally available! We improved AB# validation so that you can get notified when a link to a work item is not valid. In Team Automation Rules, you can now configure each backlog level to automate the opening and closing/resolving of work items based on the state(s) of the child item.

With this update, we also introduce support for custom CodeQL queries in Code scanning! This will let you craft your own queries tailored to identify issues specific to your codebase.

Check out the release notes for details.

GitHub Advanced Security for Azure DevOps

Azure Boards

Azure Pipelines

GitHub Advanced Security for Azure DevOps

Custom CodeQL queries now supported in GitHub Advanced Security for Azure DevOps

We're thrilled to announce the introduction of support for custom CodeQL queries in Code scanning! This enables you to craft your own queries tailored to identify issues specific to your codebase. Now, you can create and publish packs containing custom queries, execute these queries in your pipelines, and customize the detection of vulnerabilities that are pertinent to your organization.

For more information on utilizing custom queries for code scanning in GitHub Advanced Security for Azure DevOps, see to Code scanning alerts for GitHub Advanced Security for Azure DevOps.

We value your input. If you have any questions or feedback, we encourage you to engage with our community at Developer Community.

Azure Boards

GitHub Integration - Improved AB# validation is generally available

A few sprints ago we announced the preview for improved AB# validation by the Azure Boards App in GitHub. We've enhanced the app to better notify users about the validity of work item links, helping them spot and fix any issues before merging a Pull Request.

After several weeks of testing and feedback, this feature is now available to all users using the GitHub + Azure Boards integration.

Screenshots of improved validation.

This is the first of several features we're making to improve the current integration. Be sure to check out the other Azure Boards + GitHub integration features we have planned on the public roadmap.

Important

As of 8/6/2024, the Azure Boards App in GitHub will no longer validate AB# links. You can still use the AB# syntax to link work items in your GitHub pull requests, commits, and issues as you could prior to this change.

Team Automation Rules is generally available

We're happy to announce the release of this feature to all customers of Azure DevOps Service.

Note

This feature will roll out over the next two to three weeks. It may not be available to your organization until early February 2024.

You can now configure each backlog level to automate the opening and closing (or resolving) of work items based on the state of the child items. There are two main scenarios we're attempting to solve.

  • When a single child item is activated, then activate the parent.
  • When all child items are closed, then close the parent (or resolve it).

To enable these settings, click on the backlog level configuration for your team. Then go to the Automation > Rules tab to see the two different rules you can apply to your backlog. Each backlog level (requirements, features, epics) can be configured differently depending on how your team wants to work.

Screenshots of team settings.

For example, when any child Task is set to Active, make the parent User Story active. Then, when all Tasks are completed, set the User Story to Closed.

Gif to demo closing user story.

You can learn more about this feature by reviewing the documentation and this blog post.

This feature was prioritized based on this Developer Community suggestion ticket.

Azure Pipelines

Update deprecated tasks before January 31

We are retiring deprecated tasks on January 31, 2024. To help you identify the pipelines that are using these tasks, we have included a warning message with a suggested alternative. We encourage you to update your pipelines to use a newer task version or an alternative before January 31, 2024.

Screenshot of task-specific deprecation warnings.

See earlier announcements related to deprecated tasks:

Microsoft hosted agents use PowerShell 7.4

All Microsoft hosted agents will start using PowerShell 7.2 LTS to PowerShell 7.4 LTS from January 28. See What's New in PowerShell 7.4 and PowerShell 7.4 General Availability.

Take note of breaking changes and update your scripts accordingly:

New Azure service connection secrets expire in three months

Azure Service Connections where Azure DevOps creates the secret, will have a secret expiration of three months instead of two years.

To eliminate the need to rotate secrets, convert your service connection to use Workload identity federation instead. You can use the below sample script to quickly convert multiple Azure service connections to Workload identity federation:

#!/usr/bin/env pwsh
<# 
.SYNOPSIS 
    Convert multiple Azure Resource Manager service connection(s) to use Workload identity federation

.LINK
    https://aka.ms/azdo-rm-workload-identity-conversion

.EXAMPLE
    ./convert_azurerm_service_connection_to_oidc_simple.ps1 -Project <project> -OrganizationUrl https://dev.azure.com/<organization>
#> 
#Requires -Version 7.3

param ( 
    [parameter(Mandatory=$true,HelpMessage="Name of the Azure DevOps Project")]
    [string]
    [ValidateNotNullOrEmpty()]
    $Project,

    [parameter(Mandatory=$true,HelpMessage="Url of the Azure DevOps Organization")]
    [uri]
    [ValidateNotNullOrEmpty()]
    $OrganizationUrl
) 
$apiVersion = "7.1"
$PSNativeCommandArgumentPassing = "Standard" 

#-----------------------------------------------------------
# Log in to Azure
$azdoResource = "499b84ac-1321-427f-aa17-267ca6975798"
az login --allow-no-subscriptions --scope ${azdoResource}/.default
$OrganizationUrl = $OrganizationUrl.ToString().Trim('/')

#-----------------------------------------------------------
# Retrieve the service connection
$getApiUrl = "${OrganizationUrl}/${Project}/_apis/serviceendpoint/endpoints?authSchemes=ServicePrincipal&type=azurerm&includeFailed=false&includeDetails=true&api-version=${apiVersion}"
az rest --resource $azdoResource -u "${getApiUrl} " -m GET --query "sort_by(value[?authorization.scheme=='ServicePrincipal' && data.creationMode=='Automatic' && !(isShared && serviceEndpointProjectReferences[0].projectReference.name!='${Project}')],&name)" -o json `
        | Tee-Object -Variable rawResponse | ConvertFrom-Json | Tee-Object -Variable serviceEndpoints | Format-List | Out-String | Write-Debug
if (!$serviceEndpoints -or ($serviceEndpoints.count-eq 0)) {
    Write-Warning "No convertible service connections found"
    exit 1
}

foreach ($serviceEndpoint in $serviceEndpoints) {
    # Prompt user to confirm conversion
    $choices = @(
        [System.Management.Automation.Host.ChoiceDescription]::new("&Convert", "Converting service connection '$($serviceEndpoint.name)'...")
        [System.Management.Automation.Host.ChoiceDescription]::new("&Skip", "Skipping service connection '$($serviceEndpoint.name)'...")
        [System.Management.Automation.Host.ChoiceDescription]::new("&Exit", "Exit script")
    )
    $prompt = $serviceEndpoint.isShared ? "Convert shared service connection '$($serviceEndpoint.name)'?" : "Convert service connection '$($serviceEndpoint.name)'?"
    $decision = $Host.UI.PromptForChoice([string]::Empty, $prompt, $choices, $serviceEndpoint.isShared ? 1 : 0)

    if ($decision -eq 0) {

        Write-Host "$($choices[$decision].HelpMessage)"
    } elseif ($decision -eq 1) {
        Write-Host "$($PSStyle.Formatting.Warning)$($choices[$decision].HelpMessage)$($PSStyle.Reset)"
        continue 
    } elseif ($decision -ge 2) {
        Write-Host "$($PSStyle.Formatting.Warning)$($choices[$decision].HelpMessage)$($PSStyle.Reset)"
        exit 
    }

    # Prepare request body
    $serviceEndpoint.authorization.scheme = "WorkloadIdentityFederation"
    $serviceEndpoint.data.PSObject.Properties.Remove('revertSchemeDeadline')
    $serviceEndpoint | ConvertTo-Json -Depth 4 | Write-Debug
    $serviceEndpoint | ConvertTo-Json -Depth 4 -Compress | Set-Variable serviceEndpointRequest
    $putApiUrl = "${OrganizationUrl}/${Project}/_apis/serviceendpoint/endpoints/$($serviceEndpoint.id)?operation=ConvertAuthenticationScheme&api-version=${apiVersion}"
    # Convert service connection
    az rest -u "${putApiUrl} " -m PUT -b $serviceEndpointRequest --headers content-type=application/json --resource $azdoResource -o json `
            | ConvertFrom-Json | Set-Variable updatedServiceEndpoint
    
    $updatedServiceEndpoint | ConvertTo-Json -Depth 4 | Write-Debug
    if (!$updatedServiceEndpoint) {
        Write-Debug "Empty response"
        Write-Error "Failed to convert service connection '$($serviceEndpoint.name)'"
        exit 1
    }
    Write-Host "Successfully converted service connection '$($serviceEndpoint.name)'"
}

Next steps

Note

These features will roll out over the next two to three weeks.

Head over to Azure DevOps and take a look.

How to provide feedback

We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

Make a suggestion

You can also get advice and your questions answered by the community on Stack Overflow.

Thanks,

Dan Hellem