Change in Azure Pipelines Grant for Public Projects

Vijay Machiraju

Vijay

Azure Pipelines has been offering free CI/CD to open source projects since September 2018. Because this amounts to giving away free compute, it has always been a target for abuse – especially crypto mining. Minimizing this abuse has always taken energy from the team. We would prefer to put this energy into making our products better for users that follow our terms of use. Over the past few months, the situation has gotten substantially worse, with a high percentage of new public projects in Azure DevOps being used for crypto mining and other activities we classify as abusive. In addition to taking an increasing amount of energy from the team, this puts our hosted agent pools under stress and degrades the experience of all our users – both open source and paid.

To address this situation, we are making some changes – effective immediately:

  • New public projects created in Azure DevOps will no longer get a free grant of concurrent pipelines. As a result, you won’t be able to run pipelines when you create a new public project.
  • If you are a maintainer of an open-source project, you are likely already using a GitHub repository to manage your source code. So, we strongly recommend using GitHub Actions for your CI needs. This provides a more integrated experience with your repositories.
  • If you still decide to use Azure Pipelines, then we are working on a process to support your needs. Please stay tuned while we finalize this process. We will post an update in this blog as well as in our documentation, once we have it ready for you.

Note that:

  • This change does not impact our existing open-source or public project users. It only impacts new projects that you create in new Azure DevOps organizations.

We are sorry for the inconvenience this will introduce for open source customers wishing to use Azure Pipelines for CI/CD. Unfortunately, we believe that this is necessary for us to continue providing a high level of service to all our customers.

Update (2/22/2021):

We now have an updated process for you to request the free grant of parallel jobs in Azure Pipelines. Please send an email to azpipelines-ossgrant@microsoft.com and provide the following details:

  • Your name
  • Azure DevOps organization for which you are requesting the free grant
  • Links to the repositories that you plan to build
  • Brief description of your project

We will review your request and respond within a few days.

4 comments

Leave a comment

  • Avatar
    Alexander Omelchuk

    Since the recommendation here is to use GitHub Actions, it seems like the crypto miners will hardly be affected by this change. All they need to do is switch to GitHub Actions.

    It feels like Microsoft is sunsetting Azure DevOps in favor of GitHub (a logical step given that these tools compete) but does not wish to directly acknowledge it. Hope you will be able to share the long term plans for the future of Azure DevOps in the upcoming posts.

    • Avatar
      Ivan J

      Agreed, funnily enough this message comes from the “Director of Product Management, GitHub”.

      How is Github Actions handling mining differently? Why wouldn’t miner just switch and cause problems there?

      This feels like a good uses case for MS to push users to GH Actions without explaining that you are clearly dropping Azure DevOps.

  • Avatar
    devopswizard

    personally i’m grateful for
    * the fact that the offer in question is a top notch cloud based ci/cd platform
    * that i can customize for my own private and open-source build
    * and organizational needs that i’ve been actively using without paying for years
    * without spending my own devops efforts maintaining a devops infrastructure

    it’s outrageous that crypto miners or anyone else should abuse the service to the extent that it precipitates the (use your own adjective here) operator into service degrading mitigations.

    from the perspective of paying customers the operator is alleging a chronic denial of service attack that is in fact resulting in a denial of service. as a paying microsoft customer i’m not just concerned that this vendor’s infrastructure is showing extreme vulnerability – i’m annoyed to find yet another annoyance of the horseless newspaper in my feed