Resource utilization notifications in Azure Pipelines agent
With this update, the Azure Pipelines agent now displays a notification if you encounter resource constraints, such as limitations on memory or disk space.
Check out the release notes for details.
General
Azure Pipelines
- Azure service connections indicate when a secret has expired
- New AzureFileCopy@6 task supports secret-less configurations
- Resource utilization alerts for Azure Pipeline agents
General
Personal access token (PAT) APIs to return maximum allowed lifespan
When managing personal access tokens (PATs) through the PAT management APIs, a validTo expiration date can be specified for newly created or updated PATs. If the "Enforce maximum personal access token lifespan" policy is enabled and the specified validTo date exceeds the policy's maximum lifespan limit, the system now automatically adjusts and issues a PAT with the maximum permitted lifespan, rather than producing an error.
Previously, going over the maximum allowed lifespan would cause a PatLifespanPolicyViolation error. This change helps apps and tools that use these APIs handle PAT creation and update errors better when the "maximum personal access token lifespan" policy is enabled.
Azure Pipelines
Azure service connections indicate when a secret has expired
With this sprint, you can now see the expiration status of secrets in Azure service connections. If your tasks show an error due to an expired secret, such as messages with "AADSTS7000222," go to the service connection details page. If you see this message,the service connection's secret has expired:
To fix the service connection, you can convert it to use workload identity federation. This approach removes the necessity for rotating secrets, offering a more streamlined and secure management process.
New AzureFileCopy@6 task supports secret-less configurations
You might block the use of storage account keys and SAS tokens on your storage accounts. In these situations the AzureFileCopy@5 task, which relies on SAS tokens, can't be used.
The new AzureFileCopy@6 task uses Azure RBAC to access blob storage instead. This requires the identity of the service connection used to have the appropriate RBAC role e.g. Storage Blob Data Contributor. See Assign an Azure role for access to blob data.
The AzureFileCopy@6 task also supports service connections that use workload identity federation.
Resource utilization alerts for Azure Pipeline agents
Last October, we introduced the ability to monitor memory and disk space utilization by the Pipelines agent.
To inform you about these constraints, we've improved the visibility of resource constraint alerts:
Should you encounter messages indicating a lack of responsiveness from the agent, it could signify that a task is exceeding the resource capabilities allocated to the agent, potentially causing pipeline job failures.
"We stopped hearing from the agent"
To address this, enable verbose logs for more detailed tracking of resource utilization, helping to pinpoint where resources are being exhausted. For those utilizing a self-hosted agent, ensure your agent has sufficient resources.
Next steps
Note
These features will roll out over the next two to three weeks.
Head over to Azure DevOps and take a look.
How to provide feedback
We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.
You can also get advice and your questions answered by the community on Stack Overflow.
Thanks,
Silviu Andrica