Azure DevOps pass variable from Build to Release

Azure DevOps pass variable from Build to Release

September 28, 2019 0 By Morten Lerudjordet

The code is updated to allow for other existing variables in the variable group without removing them.

In my work creating a pipeline for Azure Automation Runbooks I came across a challenge I wanted to share one solution for.

My specific challenge was to only import Runbooks that had changed from one PR to the next.
Should be easy enough right? Just do: git diff –name-only HEAD~
But wait, I need to do this in the Release part of the pipeline, and this does not have access to my repo out of the box (nor should it need too, you know security and stuff).
So I do know that Build has this out of the box, as it needs to download the bits from github to be able to do the needful. This means I can run git diff there and everything is fine and dandy?

Nope, there is no easy way of passing the output from the command to the Release pipeline. Only interaction point is through the artifacts Build creates for Release to consume, and I do not want to add to that (as it should only be the bits you need to do the deployment) .

Though Azure DevOps has something else called Variable Groups that seems to have been built to handle this type of need. One can share variables created inside the group between Build and Release. Though at this moment there seems not to be a clear way of programmatically set the value of the variable at Build runtime.

Enter the excellent VSTeam module from Donovan Brown that I have had my eye on for some time, but not have had any good excuse of using. Not until now that is.

This module has Get-VSTeamVariableGroup and Update-VSTeamVariableGroup that seems to fit my needs.

So now I seem to have all the bits needed to be able to pass the changed Runbooks from the last PR in to the Release pipeline and have the logic only update these. This is much more efficient than having to import all each time, and saves a lot of time on the agent (as everybody now know time = money in Azure).

Let’s get into the details.

First set up the Variable Group and add the variable the logic will use.

The trick to allow the Build pipeline to change the variable is two folds.

First, on the Variable Group give the Build service account access as shown below (will need to be changed from Read to Administrator).

Next on the Build pipeline agent job add “Allow scripts to access OAuth token”.

The last part is to link the Variable Group to Release. This is done in the variable section as shown below.

Now to make this work from inside the Build pipeline logic, add the MS PS task on the agent and create a script that takes these arguments.

Take special note of a couple of these: System.AccessToken, VSteamAccount and System.TeamProject.

System.AccessToken is the Oauth token we configured the Build pipeline to allow scripts to use. And because it is a secret it needs to be passed in as an argument.

System.TeamProject is another variable provided by the service and holds the name of the DevOps project.
VSteamAccount I have created for convenience.
Make sure this is only the base URL of the AzD instance and do not include the project name in it (

Now for some code.

This is the part that gets the PR file diff and puts it into the GitFileDiff variable in the shared Variable Group.

Now that the variable has been set by the Build pipeline we will need to consume it in the Release pipeline. This is quite easy after the Variable Group is linked to the pipeline. Just add the variable name as an argument to your PS script that needs to use it.

Easy peasy.

Now puppies…

Happy tinkering!