Dependencies & Packages
Security & Compliance
The course is part of this learning path
This course explains how to implement dependency management with Azure DevOps. It explores the strategies, tools, and methods used for creating and managing dependencies. First, you will learn what dependency management is and which packages are available for Azure DevOps. A practical demonstration then shows how to build a package. The course moves on to explore the strategies for dependency management, including versioning and componentization, and provides a demo that guides you through how to consume a package. Finally, you will learn about security and compliance, and watch a practical demonstration of WhiteSource Bolt.
By the end of this course, you should have a good understanding of how packages are managed within Azure DevOps and the implications of package management methodologies.
If you have any feedback relating to this course, please contact us at email@example.com.
- Explore what dependencies are
- Understand the various package types in Azure DevOps
- Manage packages in Azure DevOps through Artifacts
- Explore building software and creating dependencies
- Understand the strategies and methods for creating and managing dependencies
- Explore package security and compliance scanning options
- Individuals who want to learn more about Azure DevOps
- Individuals aiming to become Azure DevOps engineers
- Students preparing for Microsoft’s AZ-400 exam
To get the most from this course, you should have:
- Experience with version control and pushing changes into an Azure repo
- An Azure DevOps account
- Visual Studio installed if you want to follow along during the demos
- An understanding of Git and how to push code
Welcome to our first session. We're sitting in the portal here at dev.azure.com and we've already got an organization created, we're logged into. The goal of the session is we're going to create a package in Visual Studio, and we're gonna increment the versions, add some dependencies and make sure that's committed to an artifact repository in our project.
First, we need to create a project. We're gonna call this the depend on project. If we go now down to the Azure repo, we are gonna use Visual Studio to create the code. We need to make sure that we create a gitignore file for Visual Studio. Otherwise, you'll end up with errors to do with files in use. So we now need to clone that project. And we're just gonna use the IDE and clone to Visual Studio. We're gonna let the browser handle opening this for us and connecting us to the right project. We'll just need to login with our credentials. Now this is going to connect to the dev.azure.com and to our organization in a particular azure git repo. Here, we can choose to leave all the defaults and clone the project.
So we can see now that that project is connected here depends on project we connected to the master branch, we go to the team explorer, we currently have no solutions. So we're gonna do a new solution. And in this case, we're gonna look for a class library for .NET Core. So we can do a cross platform build. We're gonna call this, depends class, and create. For this exercise, we're not going to write any code. And that's fine. The principles of uploading the code and the dependencies will work as they should.
So we can see in the Solution Explorer, we have the class.cs file we have over here. And we also have dependencies for the project. If we look at the properties of this file, we can see we have the package over here and currently is version of 1.0.0. We're gonna change this to 001. And if we just click off that, we can see we've got that change. We're just gonna save that. And close that page.
Looking at Visual Studio, we now have three changes to push. So we're gonna call this our first. And we're gonna do a commit all and push. That's initializing the push, we can see that working here, and successfully pushed origin master. If we return here and look at files, we can see in our project depend on project files that we have, class and class files in here.
The next thing we need to do is create a pipeline and make sure we can build this project. So we're gonna come over to the Azure pipelines and create our first pipeline. We're gonna use the classic editor down here, create a pipeline without writing YAML. We're obviously going from an Azure Git repo. And by default, it's connected to the repo of this project. Continue.
We're gonna choose the .NET Desktop for our template and get ourselves some more screen real estate here. And we can see these jobs have been added to this project. So we get the NuGet installer, we currently restore a package, build a solution. We've got this test here for testing the libraries, we're not gonna use that, we're just gonna remove it. We also don't need to publish any symbols for debugging here. And the rest of that is fine.
So let's do our first save and queue. And we're gonna call this build1, run. You can see that job has been queued. And if we jump in here, we'll just watch this.\
That looks like it succeeded. If we go look at our artifacts, in our drop folder, we have dependency, class bin, release .Net Core, depclass.dll. If we download that file, choose to keep that we can see this file depclass which if we look in there are downloads and check the properties of this file, we can see we have the version 0.0.1 as we stated in the build.
So next we wanna go to our pipeline and add in the ability to versions automatically. And we wanna push that version into a NuGet repository into our artifacts feed.
Let's go create our artifacts feed to begin with. So we go over here, create feed. We're gonna leave these options as default including the upstream sources, and create.
When we look at this feed, there's nothing in the feed 'cause we haven't published anything to it. We can look at the properties of the feed and we can see the description here for if we want to give a description. We need to just save that. And we can see we have some other options here for hide deleted packages, package sharing badges. So if you're doing build badges, how successful packages retention policies.
We can also see there are permissions here. And why it was important to do that first build pipeline was that it actually adds the depends on build service as a contributor to this artifact feed. Otherwise, you have to add that manually if you don't have the build service run once already. We can also see this the different views for local pre release and release we've looked at and also upstream sources.
So if you wanted to add another upstream source, for instance, you could click on the add and do a public source. In this case, I've already got a link for a repository. Its just a couch app. So we can just say it's an NPM source. And NPM is the only option package type, custom NPM, give it a name and add. And now we have another repository available for us in this feed.
So now that we've created this feed, we wanna publish our own package into it. If you go back to build pipeline. And we're gonna edit the pipeline. We need to increment the package version as we build it. So let's add a task into this job. And we're gonna look for assembly. Now, you may not have this installed, it may be in your marketplace, so you need to go and install it. In my case I already do. I'm just gonna add it. It's fairly simple to install. If you just follow it to the website and publish it to your organization.
We move on to the second task in the list, and we can see, we're using the project files it's the source files directory. And what we wanna do is change the attributes of the assembly. It's all the different things we can change in this task. In our case, we want to change the assembly version, file version, and package version. And here we're going to put the build.buildnumber. And we're gonna copy that to the correct places. In this case, the assembly version, file version and package version.
You might be asking where are we getting this build number from? That's one of the options of the pipeline. We have build versions by default. We're just gonna clean this up. And we're gonna do version 1.0.$(dayofyear).$(rev:r). And that will give us the day of the year and the revision build for the day. So let's save this.
If we go and look at our tasks, we now need to continue on and create a package that we're gonna push into the artifact repository. So in this case, we're not gonna use the drop folder anymore. So let's delete this. And we're gonna wanna add a task from the NuGet packager, add, pull, push.
If we go to the task we can see the command we wanna run is push. If we come down here, we can look for our project depend feed. And we just now need to make sure that we have that package created because of the version of .NET Core that we're using, we need to use the build solution over here and /t:pack and during the build that'll create a package bin, in the bin folder.
Once that build is completed, we wanna copy those files. So if we look for the source folder here, we can see our path. And we're gonna just pick this path here for the project. And we just want the files in the bin directory. So let's save this and cue it.
So that looks like it succeeded. If we go to the artifacts and we choose project feed, we can see here is our depend class and it's pushed into the repository. If we look in here we can see what part of the code bunch, there's a bunch of information about the project.
The last piece of the session we wanna cover is adding other dependencies to this. So if we go back to our project, and our solution, so if we go over here and select manage NuGet packages on the dependencies, we can browse for the NuGet package source nuget.org. I'm gonna browse, and we're gonna add, say this one here. This is a Newtonsoft JSON handler. And perhaps the Microsoft extensions for logging. So again, we'll choose, you can choose different versions. We're gonna choose the latest stable version and install. Accept the licenses and we can see this that change. So we're gonna change this and we're gonna call this dependencies, commit and push, synchronizing, and if we return to our pipeline.
Now, you could obviously have this pipeline, start running on a push, we've got it set up manually in this case, so we're gonna need to run that pipeline. And we'll just choose run.
So we can see that succeeded. If we go to the artifacts folder, and we look here we've got the new version .2 that's the next run. And we scroll over here we can see there's the additional dependencies as part of this package.
So in our next session, we're going to try and consume this package from this feed and install it in another project.
Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.