Azure DevOps Repos synchronization between Organization

Asked 20/4, 2020 at 6:0 Answered 16/1, 2023 at 16:27

We have two Azure DevOps Organizations, 1. Development 2. Client

I would like to know if we can synchronize Azure DevOps Repos from one organization (Development) to different organization (Client) in a secure way? If it is possible, what would be the best way to sync from one organization to another securely?

NOTE: We are able to manually clone the Repo from one to another organization for the first time with the help of PAT and GIT Auth but the problem arises when we want to update or re-sync the code. We have to manually re-import the repo (By deleting the existing one) to make changes.

We need to do this programmatically and to another organization.

Thumbscrew answered 20/4, 2020 at 6:0 Comment(0)

Azure DevOps Repos synchronization between Organization

Sorry but as I know there's no such out-of-box feature available in Azure Devops Service.

There're similar user voices here: Sync between projects in same org and Automatically Sync Azure Devops Repos with GitHub Repos. Usually one organization is responsible for one product, so Azure Devops doesn't recommend cross-organization actions. But if you do want this behavior in your scenario, you can use these two directions:

1.Try free Git Tools for Azure Devops extension from Martin Hinshelwood. Some steps about how to use it:

Install it in your Development organization, it contains one Publish Git Repo task.
Create a new classic build pipeline named SyncRepos, add the Publish Git Repo task in it.

(Yaml pipeline also works well, but since this is one pipeline in which only exists one task, classic pipeline is enough)
Configure the task. We only need to configure the git repo url, so it's quite easy.

Assuming the name of same repos in another organization Client is ReposToSync, and this repos is in ProjectA. So the url you should enter in pipeline(in organization Development) should be:

See this: https://anything:[email protected]/Client/ProjectA/_git/ReposToSync.

(You should use a PAT which has repos-related permissions. I used Full Access one to test it easily but it should be much better if you create a PAT scoped in repos permissions. It's more secure !)
Now set the trigger, enable the CI and add all the branches into filter.

Yaml pipeline is better in step4 cause it supports trigger all branches with wildcard *. See this.
Now in Development organization, when I have any change in master and qwe branches, it will automatically trigger the pipeline to run. Then the task will sync the changes in Development's repos with repos in 'Client' organization.

Any change in Development org will start a sync, if you want to same behavior in 'Client', you also need another similar pipeline in 'Client'. And, yaml pipeline with wildcard is better if you want the pipeline to monitor newly created branch.

In additions: Apart from using the task from extension, we can also use git commands in CMD task if you're familiar with those commands.

2.Feel free to post a new feature request to our User Voice forum. If you gets enough votes, the request's priority increases and the team would consider it seriously.

Hope all above helps :)

Update1:

No matter git commands or extension, if we want to make it more secure(avoid using PAT or other secrets directly in task), we can use secrets to store the important info like PAT.

1.See create secret variable in Variable Group, then link the variable group, after that we can use $(MyPat) in task and it won't be displayed in log.

2.Also you can consider using Azure Key Valut. Related doc: Link secrets from an Azure key vault.

Luciferase answered 21/4, 2020 at 3:1 Comment(6)

Thanks Lance, we have also tested using git commands and using ssh key pairs but that was also not suggested by the security team. We are using yaml pipelines only. Using Extension which was developed by Community, is it secure to do in this way ? – Thumbscrew 22/4, 2020 at 6:58

Since this is not extension from Microsoft, I can't guarantee that this is one secure way :( I'll add some edit to answer for some secure suggestions later. – Luciferase 22/4, 2020 at 8:54

@praveenkrish Hi friend, is there any update for it? Feel free to let me know if you need any further assistance in original issue :) – Luciferase 23/4, 2020 at 6:8

Thanks Lance for your suggestion, we will test and implement it – Thumbscrew 23/4, 2020 at 12:34

Great! Feel free to let me know if you need any further assistance about the original issue. – Luciferase 24/4, 2020 at 5:31

In my org, a new PAT expires in 7 days, so it is not suitable for continuous sync between the two repos residing in different orgs :| – Oddball 11/9, 2024 at 9:12

Today I tried a way of doing it I found in a blog post and it worked perfectly (and is tremendously easy to do).

Steps:

Create a PAT (personal access token) to your Development organization (I see you already have one so skip this step)
Go to the target repo in the Development organization, click clone and copy the url
In the Client organization import the repository with the url you have copied and with your PAT (same here, I think you already did this so skip this step)
Now clone the repo to your computer from the Client organization and add a remote to the repo in your Development organization. If you don't know about remotes, this page could help: Managing remote repositories

After this, you will be able to push and fetch from the Development organization's repo.

Source: Azure DevOps Fork Repos between two Organization - Michael Ghebremedin

Pickup answered 16/1, 2023 at 16:27 Comment(1)

This doesn't explain how to implement ongoing changes, i.e. when someone pushes to the Development repo, how do you get that across to the Client repo without deleting and recreating it? – Emporium 13/11, 2023 at 5:36

Recommended topics

Hot tags