[enhancement]: Allow ManualValidation task to limit who can approve the step

[andyfisher100]

Task name

ManualValidation

Describe your feature request here

Whilst environments allow us to have validation on a whole pipeline stage, sometimes its ideal to have approvals on just a single job within a stage and the ManualValidation task is ideal for this

However ManualValidation currently allows anyone with Queue Build permissions to approve the validation. It would be nice to limit who can approve the task to people specified in the task inputs

[Mabog10]

Yes, this feature would be great.

[neeles83]

second that, you should also not be able to approve your own pipeline runs. right groups should be added to the environments as it's already there and can be re-used in the manual validation process.

[AndrewKlimovski]

Any movement on this? Seems like the only logical way to have an approval process in CI, rather than anyone being able to approve/deploy

[stetou]

Queue Build is allowed to Contributor. And you need to be a contributor to Build pipelines. So evryone can resume the task.
At least, a user should not be able to approve is own pipeline runs as stated above

[VictorIreri]

It seems ManualValidation@1 was created for this purpose. However, the new approvers feature doesn't work currently, according to the docs. 😬

• PR: Add new version of server task ManualValidation #19899
• Docs: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/manual-validation-v1
  

[stetou]

@VictorIreri Thank you, I did know there was a new version. The new parameter approvers works just fine

[VictorIreri]

@stetou The warning is no longer present in the docs but having tested it, I can't seem to get it to work as expected for a single user or a team. 🤔
If it works for you, can you share a screenshot of what the user sees if they do not have the permission to approve?
Also, although not definitively stated in the docs, I presume the expected value is either an email for a specific user or a team name e.g.
approvers: '[email protected]' OR approvers: 'Platform - Team'
I also tried IDs and that didn't work either. ¯\_(ツ)_/¯

[volodymyrmarkiv]

I confirm, the task seems to have a bug and is not working correctly. I only see a page with no buttons.

[stetou]

I confirm, the task seems to have a bug and is not working correctly. I only see a page with no buttons.

That is in the log view, but at pipeline view where you see all the Stages I should see a VIEW button, instead a REVIEW button

[stetou]

@volodymyrmarkiv @VictorIreri

Here is my task definition

When I run the pipelin eI get a VIEW button, instead of a REVIEW button

[volodymyrmarkiv]

It doesn't matter where I click on the View button - the result is the same.
P.S.: the configuration is pretty much the same as yours.

[volodymyrmarkiv]

I apologize for the misinformation. The task is working correctly. The issue was with usernames. Azure DevOps usernames are case-sensitive, so [email protected] != [email protected].

[VictorIreri]

I had a typo in my configuration which I've fixed and now I see exactly what you posted @stetou. Thanks. 👍

[github-actions]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days