A practical guide to automating Azure DevOps Work Item updates using Python and Azure Pipelines. This post explores hosting options, AI-assisted coding, and the trade-offs of different authentication methods. It highlights a lightweight, maintainable solution for personal productivity and reflects on the evolving role of developers in an AI-driven workflow.

In this post, I share a simple Python script to load an Azure DevOps (AzDo) wiki into memory, including the markdown content and real URLs of the pages. While the script lacks error handling and doesn’t read images or consider page relationships, it uses DefaultAzureCredential for easier cloud integration. Check out the resources for more details on the Azure DevOps REST API.

There is no reason not to switch to Workload Identity Federation for Service Connections in Azure DevOps. Compared to secret-based connections, it offers several compelling benefits:

• Firstly, you eliminate the need for secrets. This means no more manual or automatic rotation of secrets, or worse, being caught off guard when secrets expire unnoticed.
• Secondly, it’s more secure. Secrets used across multiple projects and stored in key vaults or, even worse, in tools like OneNote, are far more susceptible to compromise than the new identity federation approach.

Here is my step-by-step guide on setting up Workload Identity Federation in Azure DevOps. I recommend the manual setup over the automatic one for these reasons:

Using Azure Key Vault in a Pipeline is cool, but it is less secure.

The Key Vault setup

Have you tried the Key Vault Step in an Azure DevOps Pipeline? If you haven’t, please follow these awesome guides:

• Azure DevOps Labs. Using secrets from Azure Key Vault in a pipeline
• Tobias Zimmergren. Using Azure Key Vault Secrets in Azure DevOps pipelines

The steps described in these guides are easy, but that effort made me think about the first pair of pros and cons.