Pipeline as code (YAML)

Versioned pipelines, variables, templates.

Intermediate30 min · lesson 2 of 15

Azure Pipelines can be defined in a classic visual editor or as YAML, and pipeline-as-code (YAML) is the professional standard. Storing the pipeline in the repo as version-controlled code is what makes delivery reproducible and reviewable.

Pipeline as code

A YAML pipeline lives in your repository alongside the code it builds, which means it is versioned, reviewed in pull requests, and evolves with the application — a change to the build process is a code change with history and rollback, not an untracked edit in a UI. This is the same discipline as infrastructure as code applied to your delivery process. Variables (including variable groups backed by Key Vault for secrets), parameters, and conditions make YAML pipelines flexible, and you avoid hardcoding sensitive values by referencing Key Vault so secrets never appear in the file or logs. The pipeline definition becomes a first-class, auditable artifact of the project.

pipeline-as-code with secure variables
# azure-pipelines.yml — versioned in the repo, reviewed in PRs.
trigger:
branches: { include: [ main ] }
variables:
- group: prod-secrets # variable group backed by Key Vault (no secrets in YAML)
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'prod-connection' # service connection (identity, not keys)
inlineScript: 'az webapp deploy ...'
# $(DbPassword) resolves from Key Vault at runtime, masked in logs.

Templates and reuse

As pipelines multiply across projects, templates keep them DRY: you factor common steps, jobs, or whole stages into reusable template files and reference them, so a standard build-and-deploy pattern is defined once and consumed everywhere. This lets a platform team standardize security scanning, approval gates, and deployment logic across the organization, and update them centrally. Combined with variable groups and parameters, templates turn pipelines from copy-pasted snowflakes into a maintained, consistent system. The DevOps engineer’s job is to build these reusable, secure pipeline building blocks so every team gets fast, safe delivery without reinventing it — pipeline-as-code plus templates is how delivery scales across an organization.

Pipeline as code
in the repo
YAML pipeline
versioned, PR-reviewed
variable groups + Key Vault
secrets referenced, not stored
reuse
templates
shared steps/stages, DRY
parameters
flexible, standardized pipelines
YAML puts the pipeline under version control; templates and variable groups make it reusable and secure across the org.
Never hardcode secrets in a pipeline YAML
A password or key written into a YAML pipeline is committed to the repo and visible to anyone with read access, and may leak into build logs. Reference secrets from Azure Key Vault via a variable group or the service connection, and mark them secret so they are masked — nothing sensitive belongs in the pipeline file or its output.