我有一个构建管道,需要创建一个带有共享访问签名的 URL(请参阅:SAS 或身份验证密钥),以便访问管道下游的 ZIP 文件。我能够很好地创建 URL 和 SAS 密钥,但无法将其转移到另一个阶段。
该过程记录得相当好here但我一定遗漏了一些东西。
我在此处包含了完整的管道以供上下文使用,但主要逻辑位于
Generate SAS URL for the artifactDeployment to prodtrigger:
- main
variables:
- group: xyz
pool:
name: Default
stages:
- stage: build
displayName: Build the application
jobs:
- job: build
displayName: Build
steps:
- task: UseDotNet@2
inputs:
version: 8.x
- task: DotNetCoreCLI@2
displayName: Build Function App
inputs:
command: 'build'
projects: |
$(System.DefaultWorkingDirectory)/src/AzureFunctions/AzureFunctions.csproj
arguments: --output $(System.DefaultWorkingDirectory)/function-package --configuration Release
- task: ArchiveFiles@2
displayName: 'Archive files'
inputs:
rootFolderOrFile: '$(System.DefaultWorkingDirectory)/function-package'
includeRootFolder: false
archiveType: zip
archiveFile: $(Build.ArtifactStagingDirectory)/$(Build.BuildNumber).zip
replaceExistingArchive: true
- publish: $(Build.ArtifactStagingDirectory)/$(Build.BuildNumber).zip
artifact: function-package
- task: AzureCLI@2
displayName: 'Upload artifact to Azure Storage'
inputs:
azureSubscription: '<secret>'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
storage_key=$(az storage account keys list --resource-group <secret> --account-name <secret> --query '[0].value' --output tsv)
az storage blob upload \
--account-name <secret> \
--container-name function-artifacts/<secret> \
--name $(Build.BuildNumber).zip \
--file $(Build.ArtifactStagingDirectory)/$(Build.BuildNumber).zip \
--account-key $storage_key
- task: AzureCLI@2
displayName: 'Generate SAS URL for the artifact'
inputs:
azureSubscription: '<secret>'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
storage_key=$(az storage account keys list --resource-group <secret> --account-name <secret> --query '[0].value' --output tsv)
sas_url=$(az storage blob generate-sas \
--account-name <secret> \
--container-name function-artifacts/<secret> \
--name $(Build.BuildNumber).zip \
--permissions r \
--expiry $(date -u -d "1 year" '+%Y-%m-%dT%H:%MZ') \
--account-key $storage_key \
--output tsv)
echo "##vso[task.setvariable variable=ArtifactSasUrl;isOutput=true]https://<secret>.blob.core.windows.net/function-artifacts/<secret>/$(Build.BuildNumber).zip?$sas_url"
- publish: $(System.DefaultWorkingDirectory)/build/bicep
artifact: bicep-package
- stage: deployment_prod
dependsOn: build
displayName: Deployment to prod
variables:
ArtifactSasUrl: $[dependencies.build.outputs['build.ArtifactSasUrl']]
jobs:
- template: deployment.yaml
parameters:
Environment: 'prod'
StorageAccount: $(StorageAccount)
LoftwareDb: $(<secretDb>)
AppServicePlanResourceId: $(AppServicePlanResourceId)
ResourceGroupName: '<secret>'
ServiceConnectionName: '<secret>'
SubscriptionId: '<secret>'
ArtifactUrl: '$(ArtifactSasUrl)'
我在下游流程中有一个步骤打印出 SAS URL,但它是空的(没有错误,只是空)。
要访问输出变量,您需要先裸步
- task: AzureCLI@2
name: generateSasUrl
displayName: 'Generate SAS URL for the artifact'
inputs:
azureSubscription: '<secret>'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
storage_key=$(az storage account keys list --resource-group <secret> --account-name <secret> --query '[0].value' --output tsv)
sas_url=$(az storage blob generate-sas \
--account-name <secret> \
--container-name function-artifacts/<secret> \
--name $(Build.BuildNumber).zip \
--permissions r \
--expiry $(date -u -d "1 year" '+%Y-%m-%dT%H:%MZ') \
--account-key $storage_key \
--output tsv)
echo "##vso[task.setvariable variable=ArtifactSasUrl;isOutput=true]https://<secret>.blob.core.windows.net/function-artifacts/<secret>/$(Build.BuildNumber).zip?$sas_url"
然后:
ArtifactSasUrl: $[dependencies.build.outputs['build.generateSasUrl.ArtifactSasUrl']]
这里是依赖关系的JSON映射
"dependencies": {
"<STAGE_NAME>" : {
"result": "Succeeded|SucceededWithIssues|Skipped|Failed|Canceled",
"outputs": {
"jobName.stepName.variableName": "value"
}
},
"...": {
// another stage
}
}