Submission requirements
Problem summary
ado-aw should support source-level Azure DevOps variable group imports so generated pipeline locks can consume project-managed secrets without hand-editing the generated YAML.
Today engine.github-app-token.private-key can reference an ADO pipeline variable name, for example:
engine:
id: copilot
github-app-token:
app-id: 1234567
owner: example-org
repositories: [example-repo]
private-key: AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY
That is useful when the GitHub App private key is managed centrally in an ADO Library variable group. However, in Azure DevOps, a variable group being present and authorized for a pipeline definition is not enough to make its variables available to a YAML run. The YAML must explicitly import the group:
variables:
- group: Agentic Workflows
ado-aw front matter currently has no source-level way to request that import, so a source-clean generated lock cannot consume secrets managed in a project-level variable group. This is especially painful for GitHub App private keys and other shared agentic-workflow secrets that should be managed once at the project level, not copied onto every pipeline definition.
Reproduction details
-
Create an ADO Library variable group, for example Agentic Workflows, containing a secret variable such as AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY.
-
Author an ado-aw workflow that references that variable from engine.github-app-token.private-key:
engine:
id: copilot
github-app-token:
app-id: 1234567
owner: example-org
repositories: [example-repo]
private-key: AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY
- Compile with ado-aw.
Observed behavior: the generated lock references $(AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY) in the GitHub App token mint step, but does not import the variable group. At runtime, the variable is unavailable unless it was also copied directly onto the pipeline definition or the generated lock was hand-patched.
Expected behavior: ado-aw source should support a variable group import, for example:
variables:
- group: Agentic Workflows
and generated YAML should preserve that import while maintaining lock integrity:
variables:
- group: Agentic Workflows
Pipeline-definition authorization is still required, but it is not sufficient by itself. Authorization grants the pipeline permission to use the group; the YAML import actually brings the group variables into the run.
Current workarounds are all undesirable:
- Store the secret directly as a pipeline variable on each generated pipeline definition, duplicating project-level secret management.
- Hand-patch the generated lock with
variables: - group: ... and disable or bypass generated-lock integrity.
- Build a parent/wrapper YAML outside ado-aw that imports the group and includes an ado-aw-generated job/stage template, adding complexity and target-specific wrapper behavior.
Proposed next step
Add source-level support for ADO variable group imports. A simple front matter shape could mirror ADO YAML:
variables:
- group: Agentic Workflows
If variables: is too broad or conflicts with future literal variable support, an ado-aw-specific shape could be used instead, such as:
variable-groups:
- Agentic Workflows
Security considerations:
- The source should contain only variable group names, never secret values.
- ado-aw should not resolve, print, log, or serialize variable values.
- Validation should treat group names as identifiers/references and reject YAML forms that inline secret values if this feature is intended only for groups.
- Existing secret handling remains unchanged: steps still reference secret variables by macro name, such as
$(AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY).
Target/wrapper considerations:
target: standalone: emit top-level variables: with - group: ....
target: 1es: ensure variable group imports land in the correct top-level/template-supported location for the 1ES wrapper and required template schema.
target: job / target: stage: decide whether imports are representable in the emitted template target. If not, fail with a clear compile-time error or document that variable group imports require the parent pipeline to import the group.
- Required-template / extends wrappers should preserve the variable group import in a way Azure DevOps evaluates before jobs that reference the macros.
Acceptance criteria / tests:
- Front matter can declare one or more variable group imports.
- Compiled standalone YAML includes top-level `variables:
- A workflow using
engine.github-app-token.private-key: <VAR_NAME> can import a variable group containing <VAR_NAME> without hand-patching the lock.
- Generated locks remain deterministic and integrity-preserving.
- Tests cover at least standalone output shape and the behavior/error for
1es, job, and stage targets.
- Tests verify secret values are never required or emitted, only group names.
- Docs explain that variable group authorization and YAML import are both required in Azure DevOps.
Submission requirements
.github/agents/ado-aw.agent.md.githubnext/ado-aw.Problem summary
ado-aw should support source-level Azure DevOps variable group imports so generated pipeline locks can consume project-managed secrets without hand-editing the generated YAML.
Today
engine.github-app-token.private-keycan reference an ADO pipeline variable name, for example:That is useful when the GitHub App private key is managed centrally in an ADO Library variable group. However, in Azure DevOps, a variable group being present and authorized for a pipeline definition is not enough to make its variables available to a YAML run. The YAML must explicitly import the group:
ado-aw front matter currently has no source-level way to request that import, so a source-clean generated lock cannot consume secrets managed in a project-level variable group. This is especially painful for GitHub App private keys and other shared agentic-workflow secrets that should be managed once at the project level, not copied onto every pipeline definition.
Reproduction details
Create an ADO Library variable group, for example
Agentic Workflows, containing a secret variable such asAGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY.Author an ado-aw workflow that references that variable from
engine.github-app-token.private-key:Observed behavior: the generated lock references
$(AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY)in the GitHub App token mint step, but does not import the variable group. At runtime, the variable is unavailable unless it was also copied directly onto the pipeline definition or the generated lock was hand-patched.Expected behavior: ado-aw source should support a variable group import, for example:
and generated YAML should preserve that import while maintaining lock integrity:
Pipeline-definition authorization is still required, but it is not sufficient by itself. Authorization grants the pipeline permission to use the group; the YAML import actually brings the group variables into the run.
Current workarounds are all undesirable:
variables: - group: ...and disable or bypass generated-lock integrity.Proposed next step
Add source-level support for ADO variable group imports. A simple front matter shape could mirror ADO YAML:
If
variables:is too broad or conflicts with future literal variable support, an ado-aw-specific shape could be used instead, such as:Security considerations:
$(AGENTIC_WORKFLOWS_GITHUB_APP_PRIVATE_KEY).Target/wrapper considerations:
target: standalone: emit top-levelvariables:with- group: ....target: 1es: ensure variable group imports land in the correct top-level/template-supported location for the 1ES wrapper and required template schema.target: job/target: stage: decide whether imports are representable in the emitted template target. If not, fail with a clear compile-time error or document that variable group imports require the parent pipeline to import the group.Acceptance criteria / tests:
engine.github-app-token.private-key: <VAR_NAME>can import a variable group containing<VAR_NAME>without hand-patching the lock.1es,job, andstagetargets.