Pipelines
All services use Azure DevOps pipelines defined in azure-pipelines.yml files in their respective directories. Pipelines share common templates for Docker builds and Cloudflare deployments.
Pipeline patterns
Section titled “Pipeline patterns”Backend pipeline (Cloud Backend / Management Backend / Ingestor)
Section titled “Backend pipeline (Cloud Backend / Management Backend / Ingestor)”flowchart LR
A[Push to master] --> B[Checkout]
B --> C[Security scanning - govulncheck / trivy / gitleaks / SBOM]
C --> D[Build Docker image]
D --> E[Push to ACR]
E --> F[Deploy to App Service]
F --> G[Run Flyway migrations]
G --> H[Health check]
Triggered by pushes to master with path filters (e.g. only when files under Backend/ change).
Frontend pipeline (Cloud SPA / Management SPA / Website / Docs)
Section titled “Frontend pipeline (Cloud SPA / Management SPA / Website / Docs)”flowchart LR
A[Push to master] --> B[Checkout]
B --> C[npm install + npm run build]
C --> D[Security scanning - npm audit / license-checker]
D --> E[Deploy to Cloudflare Pages]
Variable groups
Section titled “Variable groups”| Group | Used by | Contains |
|---|---|---|
cloudflare-cloud | All Cloudflare deployments | CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, project names |
cloud-backend-dev | Cloud Backend dev pipeline | App settings, DB connection (via KV reference) |
cloud-backend-prd | Cloud Backend prod pipeline | Same, production values |
manage-backend-dev | Management Backend dev | App settings |
manage-backend-prd | Management Backend prod | App settings |
Security scanning
Section titled “Security scanning”Backend pipelines run:
govulncheck— Go vulnerability scanner (known CVEs in dependencies)trivy image— Container image scanning (OS packages + Go deps)gitleaks— Secret detection in source code- SBOM generation — Software Bill of Materials (CRA compliance)
Frontend pipelines run:
npm audit— Node.js dependency vulnerability checklicense-checker— License compliance verification
Flyway migration step
Section titled “Flyway migration step”After each backend deploy, the pipeline runs Flyway migrations against the production database. The migration connection string uses the service’s Managed Identity and is scoped to the deployment environment.
Migrations are forward-only. Rolling back requires a new migration file — never delete or edit existing migration files.
Secrets management in pipelines
Section titled “Secrets management in pipelines”Pipeline steps do not have access to raw secrets. Instead:
- Build-time: VITE_* variables come from Azure DevOps variable groups (marked as secret)
- Runtime: App Service reads secrets from Key Vault via Key Vault references in App Settings
- Cloudflare deploy: Cloudflare API token is in the
cloudflare-cloudvariable group
No secrets are ever written to Docker images or build artifacts.
Trigger path filters (example)
Section titled “Trigger path filters (example)”The Cloud Backend pipeline only triggers when files under Backend/ change:
trigger: branches: include: - master paths: include: - Backend/*This prevents unnecessary builds when only the frontend or documentation changes.