azurepipelines

Overview ¶

Package azurepipelines is a private serialization backend: it writes a forge-neutral model.Pipeline out as an Azure DevOps pipeline (azure-pipelines.yml).

Mechanism, not identity. It lives under ci/render/internal so it is importable only by the render layer and never appears in a user-facing surface. It shares nothing with the Actions backend — Azure's stage/job/step model and YAML are its own — so it is a separate backend rather than a dialect of another.

Lowering decisions:

• stages → Azure has first-class stages; each model job maps to a stage (one job inside) and stage ordering is expressed with dependsOn. A job with no explicit Needs depends on the preceding stage; first-stage jobs depend on nothing.
• artifacts → PublishPipelineArtifact (publish) on the producer; a consumer that needs it uses DownloadPipelineArtifact (download).
• allow-failure → job continueOnError; when-always → stage condition: always().
• container → the CI image is declared as a container resource and each job runs in it.

First-pass runtime caveats to validate against a real Azure DevOps run (the structure is stable; these are environment specifics, like the Actions backend's DinD/OIDC caveats):

• OIDC: Azure issues federated tokens via service connections, not a generic audience request. The STAGEFREIGHT_OIDC contract needs a service-connection -backed token step; this backend emits a marked placeholder, not a working fetch.
• docker: Azure's hosted agents have Docker on the host; a container job needs the host socket or a self-hosted agent. The transport env is emitted but the daemon wiring is environment-specific.
• artifact path: download restores under $(Pipeline.Workspace)/<name>; mapping it back onto the workspace .stagefreight/ tree is a refinement.