Change in Azure Pipelines Grant for Public Projects
Vijay Machiraju
Azure Pipelines has been offering free CI/CD to open source projects since September 2018. Because this amounts to giving away free compute, it has always been a target for abuse – especially crypto mining. Minimizing this abuse has always taken energy from the team. We would prefer to put this energy into making our products better for users that follow our terms of use. Over the past few months, the situation has gotten substantially worse, with a high percentage of new public projects in Azure DevOps being used for crypto mining and other activities we classify as abusive. In addition to taking an increasing amount of energy from the team, this puts our hosted agent pools under stress and degrades the experience of all our users – both open source and paid.
To address this situation, we are making some changes – effective immediately:
- New public projects created in Azure DevOps will no longer get a free grant of concurrent pipelines. As a result, you won’t be able to run pipelines when you create a new public project.
- If you are a maintainer of an open-source project, you are likely already using a GitHub repository to manage your source code. So, we strongly recommend using GitHub Actions for your CI needs. This provides a more integrated experience with your repositories.
- If you still decide to use Azure Pipelines, then we are working on a process to support your needs. Please stay tuned while we finalize this process. We will post an update in this blog as well as in our documentation, once we have it ready for you.
Note that:
- This change does not impact our existing open-source or public project users. It only impacts new projects that you create in new Azure DevOps organizations.
We are sorry for the inconvenience this will introduce for open source customers wishing to use Azure Pipelines for CI/CD. Unfortunately, we believe that this is necessary for us to continue providing a high level of service to all our customers.
Update (6/7/2021):
We now have an updated process for you to request the free grant of parallel jobs in Azure Pipelines. Please fill out this form.
We will review your request and respond within 2-3 business days.
Light
Dark
8 comments
Since the recommendation here is to use GitHub Actions, it seems like the crypto miners will hardly be affected by this change. All they need to do is switch to GitHub Actions.
It feels like Microsoft is sunsetting Azure DevOps in favor of GitHub (a logical step given that these tools compete) but does not wish to directly acknowledge it. Hope you will be able to share the long term plans for the future of Azure DevOps in the upcoming posts.
Agreed, funnily enough this message comes from the “Director of Product Management, GitHub”.
How is Github Actions handling mining differently? Why wouldn’t miner just switch and cause problems there?
This feels like a good uses case for MS to push users to GH Actions without explaining that you are clearly dropping Azure DevOps.
Most of us working on Azure DevOps work for GitHub these days. Being a part of the same organization enables us to better coordinate our roadmaps and strategy across the two products.
This change is actually a good example of this. When we first rolled out the Azure Pipelines support for open source projects in 2016, Actions had not yet launched, and Azure Pipelines was the best way to bring hosted CI capabilities to open source communities. Things have changed substantially since then, and GitHub Actions is now a more natural fit for OSS hosted on GitHub. As such, we believe it makes sense to direct new open source CI consumption toward Actions at this point, while still maintaining our support for existing open source CI in Azure Pipelines (and enabling folks who still prefer to use Azure Pipelines for whatever reason a path to doing so).
The primary advantage for us in making this change in terms of fighting abuse is that it allows us to focus our more targeted prevention efforts on one product – Actions. The “front doors” for this type of abuse (organization/account creation, identities, etc.) are very different between the two products, and therefore building out the same set of preventative measures across both of them doubles the price.
personally i’m grateful for
* the fact that the offer in question is a top notch cloud based ci/cd platform
* that i can customize for my own private and open-source build
* and organizational needs that i’ve been actively using without paying for years
* without spending my own devops efforts maintaining a devops infrastructure
it’s outrageous that crypto miners or anyone else should abuse the service to the extent that it precipitates the (use your own adjective here) operator into service degrading mitigations.
from the perspective of paying customers the operator is alleging a chronic denial of service attack that is in fact resulting in a denial of service. as a paying microsoft customer i’m not just concerned that this vendor’s infrastructure is showing extreme vulnerability – i’m annoyed to find yet another annoyance of the horseless newspaper in my feed
Well at least we got plenty of warning.
We pay for our hosted agents, and we were still hit with availability issues.
I’m very sorry to hear that, @Dave Higgins. The recent escalations in abuse of our free tier have indeed caused availability issues for some of our legitimate (and paying) customers in the form of long wait times for jobs starting on hosted agents. Preventing further such issues for customers like you is the primary reason we have been making changes – first to our open source offer, as documented in this post; and more recently to the free tier for private projects (per https://devblogs.microsoft.com/devops/change-in-azure-pipelines-grant-for-private-projects/). While these changes have introduced additional inconvenience for legitimate free use of Azure Pipelines, minimizing impact to our current customers is more important. We will be working hard in the coming days and weeks to reduce the impact on legitimate customers of our free offers while still preventing the types of abuse that can cause availability issues for customers like you.
There are students that uses free tier for AZ 400 labs impacted with this, they are not getting any parallel job when they create their organizations, even when they associate to a valid subscription and an the AAD related to their Azure Pass subscription. This is blocking people from learning the tool. Is this a temporary decision? Wil be there any fixes for this specific issue?