@proplan-utvikling/pipelines
v1.0.1
Published
Shared Azure DevOps YAML pipeline templates for Proplan applications.
Readme
pipelines/
Azure DevOps YAML pipeline templates for building, testing, and deploying Angular web apps and Azure Functions applications.
Folder structure
pipelines/
consumer-setup.yml Copy-paste reference for wiring any consumer repo to this library
templates/
shared/ Reusable step and variable templates
web-appservices/ Angular → Azure App Service pipelines
azure-functions/ Node.js → Azure Functions pipelines
infra/ Infrastructure provisioning pipelines
pr-pipeline.yml Generic CI-only PR validation (no deployment)
examples/ Fully worked example pipelinesPrerequisites
1. Declare this repo as a resource
Add the following to every consumer repo's azure-pipelines.yml:
resources:
repositories:
- repository: infrastructure # alias used in @infrastructure suffix
type: git
name: Proplan/Proplan.Infrastructure # <ADO project>/<repo name>
ref: refs/heads/main # or pin to a tag: refs/tags/v1.02. Required ADO setup
| Requirement | Where to configure |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| Azure service connection | ADO → Project Settings → Service connections → New → Azure Resource Manager (Workload Identity Federation recommended) |
| ADO Environment (for deployment gates) | ADO → Pipelines → Environments → New environment. Add approvals under Approvals and checks. |
| Repository authorisation | First run will prompt — or pre-approve via Proplan.Infrastructure → Settings → Permissions |
| OAuth token (AI review) | Pipeline → Edit → … → Triggers → Allow scripts to access the OAuth token |
| Snyk service connection | ADO → Project Settings → Service connections → New → Snyk (install Snyk Security extension first) |
| AI API key | Pipeline → Edit → Variables → AI_API_KEY (lock the variable) |
Pipeline entrypoints
Web App (Angular → App Service)
Full CI/CD
extends:
template: pipelines/templates/web-appservices/pipeline.yml@infrastructure
parameters:
azureSubscription: "sc-myapp-prod" # required
appName: "myapp-prod" # required
environmentName: "production" # required
# --- optional ---
nodeVersion: "20.x"
buildConfiguration: "production"
slotName: "production"
variableGroups: [myapp-common, myapp-prod]
lintEnabled: true
testEnabled: true
snykEnabled: false
aiReviewEnabled: falsePR preview (deploys to ephemeral slot pr-<id>)
pr:
branches:
include: ["*"]
extends:
template: pipelines/templates/web-appservices/pr-pipeline.yml@infrastructure
parameters:
azureSubscription: "sc-myapp-prod" # required
appName: "myapp-prod" # required
resourceGroup: "rg-myapp-prod" # required
# --- optional ---
aiReviewEnabled: false
snykEnabled: falsePR slot cleanup (run on PR completion / abandonment)
extends:
template: pipelines/templates/web-appservices/pr-cleanup-pipeline.yml@infrastructure
parameters:
azureSubscription: "sc-myapp-prod"
appName: "myapp-prod"
resourceGroup: "rg-myapp-prod"Azure Functions (Node.js → Function App)
Full CI/CD
extends:
template: pipelines/templates/azure-functions/pipeline.yml@infrastructure
parameters:
azureSubscription: "sc-myapp-prod"
appName: "myapp-prod-func"
environmentName: "production"
# --- optional ---
appType: "functionAppLinux" # functionApp | functionAppLinux
nodeVersion: "20.x"
variableGroups: [myapp-common, myapp-prod]
snykEnabled: false
aiReviewEnabled: falsePR preview and cleanup
# PR preview
extends:
template: pipelines/templates/azure-functions/pr-pipeline.yml@infrastructure
parameters:
azureSubscription: 'sc-myapp-prod'
appName: 'myapp-prod-func'
resourceGroup: 'rg-myapp-prod'
# PR slot cleanup
extends:
template: pipelines/templates/azure-functions/pr-cleanup-pipeline.yml@infrastructure
parameters:
azureSubscription: 'sc-myapp-prod'
appName: 'myapp-prod-func'
resourceGroup: 'rg-myapp-prod'Note: Deployment slots require Standard (
S1) or higher App Service Plan. Consumption plan Function Apps do not support slots.
Generic PR validation (CI-only, no deployment)
Runs lint, build, tests, code coverage, and optional Snyk/AI review. No Azure credentials needed.
pr:
branches:
include: ["*"]
extends:
template: pipelines/templates/pr-pipeline.yml@infrastructure
parameters:
appType: "angular" # required: angular | functions
# --- optional ---
lintEnabled: true
testEnabled: true
buildEnabled: true
snykEnabled: false
aiReviewEnabled: false
variableGroups: [myapp-common]Application Insights infrastructure
Provisions (or updates) a Log Analytics Workspace and Application Insights instance using Bicep.
extends:
template: pipelines/templates/infra/app-insights-pipeline.yml@infrastructure
parameters:
azureSubscription: "sc-myapp-prod" # required
resourceGroup: "rg-myapp-prod" # required
appInsightsName: "myapp-prod" # required
environmentName: "production" # required
# --- optional ---
whatIfEnabled: true # preview changes before deploying
repositoryAlias: "infrastructure" # must match resources.repositories aliasAfter the Deploy stage, output variables are available:
stageDependencies.Deploy.DeployAppInsights.outputs['deployAppInsights.appInsights.connectionString']
stageDependencies.Deploy.DeployAppInsights.outputs['deployAppInsights.appInsights.instrumentationKey']Shared step templates
These can be included in the steps: block of any custom job:
| Template | Purpose |
| ----------------------------------- | ----------------------------------------------------------------------- |
| shared/install-node.yml | Install a specific Node.js version |
| shared/publish-artifact.yml | Publish a pipeline artifact |
| shared/snyk-scan.yml | Run Snyk OSS + optional SAST scan |
| shared/ai-pr-review.yml | AI code review via Azure OpenAI / OpenAI; posts PR thread comment |
| shared/pr-validate.yml | Full CI validation steps (install → lint → build → test → coverage) |
| shared/husky.yml | Disable Husky git hooks in CI; optionally re-run hooks as quality gates |
| shared/create-appservice-slot.yml | Idempotently create an App Service / Function App deployment slot |
| shared/delete-appservice-slot.yml | Safely delete a deployment slot |
| shared/deploy-app-insights.yml | Deploy Application Insights Bicep module via Azure CLI |
| shared/semantic-release.yml | Automated versioning + changelog via semantic-release |
| shared/owasp-zap.yml | OWASP ZAP DAST security scan against a live URL |
| shared/accessibility.yml | WCAG accessibility scan via axe-core |
| shared/env-promote.yml | Promote a built artifact between environments without rebuilding |
| shared/lint.yml | ESLint + Prettier check + optional Stylelint — composable lint step |
| shared/performance-test.yml | k6 load / smoke test against a live URL with configurable thresholds |
Variable template
Reference in the variables: block (not steps:):
variables:
- template: pipelines/templates/shared/variables.yml@infrastructure
parameters:
environmentName: "production"
variableGroups:
- myapp-common
- myapp-productionAI PR review
Optional parallel stage available in all PR and CI/CD pipelines.
parameters:
aiReviewEnabled: true
aiProvider: "azure-openai" # azure-openai | openai
azureOpenAiEndpoint: "https://my-openai.openai.azure.com"
aiModelOrDeployment: "gpt-4o"
aiApiKeyVariableName: "AI_API_KEY" # pipeline secret variable name
aiFailOnCritical: false # block deployment on CRITICAL severityOAuth token must be enabled: Pipeline → Edit → … → Allow scripts to access the OAuth token.
Variable groups (ADO Library)
Create these groups in ADO → Pipelines → Library, then authorise each pipeline to access them.
| Group name | Purpose |
| ------------------ | ------------------------------------------------------------ |
| myapp-common | Shared config (subscription ID, tenant ID, region) |
| myapp-dev | Dev environment values |
| myapp-staging | Staging environment values |
| myapp-production | Production values (app name, resource group, Key Vault name) |
| myapp-secrets | Key Vault-linked secrets |
Examples
See the examples/ folder for complete working pipelines:
| File | Demonstrates |
| ------------------------------- | -------------------------------------------------------- |
| use-web-appservices.yml | Full CI/CD for an Angular app |
| use-azure-functions.yml | Full CI/CD for a Function App |
| use-web-appservices-pr.yml | PR preview + cleanup for Angular |
| use-azure-functions-pr.yml | PR preview + cleanup for Functions |
| use-pr-pipeline.yml | Generic CI-only PR validation |
| use-ai-pr-review.yml | Standalone AI PR review |
| use-app-insights-pipeline.yml | Application Insights provisioning |
| use-bicep-pipeline.yml | Full infrastructure stack deployment |
| use-semantic-release.yml | Automated versioning and changelog |
| use-owasp-zap.yml | OWASP ZAP DAST security scan |
| use-accessibility.yml | WCAG accessibility scan via axe-core |
| use-env-promote.yml | Environment promotion (staging → production) |
| use-lint.yml | Standalone lint pipeline (ESLint + Prettier + Stylelint) |
| use-performance-test.yml | k6 smoke test triggered after deployment |
