Branch to Environment Mapping

This page documents how Git branches map to Azure environments, which pipeline variable groups are loaded per environment, and the full trigger configuration for each orchestrator.

---

Branch Mapping Table

Branch Pattern	Target Environment	Auto-Deploy	Approval Gate	Domain
main	Production	No	Yes — Release Manager	onlinemicrotec.com.sa
master	Production	No	Yes — Release Manager	onlinemicrotec.com.sa
Production	Production	No	Yes — Release Manager	onlinemicrotec.com.sa
Stage	Stage	Yes	No	microtecstage.com
PreProd	Pre-Production	Yes	No	microtec-preprod.com
preprod	Pre-Production	Yes	No	microtec-preprod.com
develop	Development	Yes	No	microtec-test.com
Sprint*	Development	Yes	No	microtec-test.com
(all others)	Development	Yes	No	microtec-test.com

Branch Triggers Are Case-Sensitive

The branch triggers use exact names: Stage (capital S), Production (capital P), PreProd (camel-case). Verify branch names match exactly when configuring triggers.

Fast Deploy Exception

The fast-deploy-pipeline.yml pipeline is never triggered automatically. It is always run manually via the Azure DevOps UI with explicit targetEnvironment and service toggle parameters. See Fast Deploy Path.

---

Environment Resolution Logic

The pipeline resolves the target environment using this PowerShell logic:

# In initialize.stage.yml
$branch = $env:BUILD_SOURCEBRANCH -replace '^refs/heads/', ''

$environment = switch -Wildcard ($branch) {
    'main'        { 'production' }
    'master'      { 'production' }
    'Production'  { 'production' }
    'Stage'       { 'stage' }
    'PreProd'     { 'preprod' }
    'preprod'     { 'preprod' }
    'uat'         { 'uat' }
    'develop'     { 'dev' }
    'Sprint*'     { 'dev' }
    default       { 'dev' }
}

Write-Host "##vso[task.setvariable variable=ENVIRONMENT;isOutput=true]$environment"

---

Variable Groups per Environment

Each environment has a dedicated Azure DevOps Library variable group. Pipelines always link container-backend-shared plus the environment-specific secrets group:

# In pipeline YAML
variables:
  - group: container-backend-shared
  - ${{ if eq(parameters.targetEnvironment, 'production') }}:
    - group: container-backend-secrets-production
  - ${{ if eq(parameters.targetEnvironment, 'stage') }}:
    - group: container-backend-secrets-stage
  - ${{ if eq(parameters.targetEnvironment, 'preprod') }}:
    - group: container-backend-secrets-preprod
  - ${{ if eq(parameters.targetEnvironment, 'uat') }}:
    - group: container-backend-secrets-uat
  - ${{ else }}:
    - group: container-backend-secrets-dev

Variable Group Reference

Variable Group	Contents
container-backend-shared	Shared vars (NuGet uses System.AccessToken; no secrets)
container-backend-secrets-dev	Dev environment secrets (SQL passwords, Keycloak admin, JWT keys, etc.)
container-backend-secrets-stage	Stage environment secrets
container-backend-secrets-preprod	Preprod environment secrets
container-backend-secrets-uat	UAT environment secrets
container-backend-secrets-production	Production environment secrets

Key Vault Name Values (Non-Standard)

KEY_VAULT_NAME Values Are Non-Standard

Because Key Vault names don't follow a consistent formula, the Key Vault name for each environment must be stored explicitly. Actual names:

Environment	Key Vault Name
dev	mic-erp-be-dev-skv
stage	mic-erp-stg-kv
preprod	mic-erp-be-preprod-skv
uat	mic-erp-uat-kv
production	(contact platform team)

---

Frontend Branch Mapping

The unified-frontend-pipeline.yml uses the same branch-to-environment mapping. Frontend variable groups follow the same pattern:

Branch	Environment	Variable Group	Blob Storage Account
main/master/production	prod	mic-erp-fr-prod-vars	micerpfrprodsa
stage/staging	stage	mic-erp-fr-stage-vars	micerpfrstage sa
PreProd/preprod	preprod	mic-erp-fr-preprod-vars	micerpfrpreprodsa
uat	uat	mic-erp-fr-uat-vars	micerpfruatsa
others	dev	mic-erp-fr-dev-vars	micerpfrdevsa

---

Azure DevOps Environment Protection Rules

Azure DevOps Environments enforce approval gates at the pipeline level. These are separate from the variable groups:

ADO Environment	Protection	Approvers
production	Manual approval required	Release Manager, CTO (any 1)
uat	None	—
preprod	None	—
stage	None	—
dev	None	—

The production environment also has:

• Deployment freeze: No deployments between 4 PM – 8 AM GST (configured as a business hours check)
• Required checks: Stage smoke tests must be green within last 4 hours

---

Visualizing Current Deployments

Check what's deployed where:

# List all container app revisions with traffic weights
az containerapp revision list \
  --name accounting \
  --resource-group mic-erp-be-stage-apps-rg \
  --query "[].{name:name, active:properties.active, weight:properties.trafficWeight, image:properties.template.containers[0].image}" \
  --output table

# Check all services in an environment
for svc in accounting hr finance sales purchase inventory distribution fixed-assets notification workflow attachment; do
  echo "=== $svc ==="
  az containerapp show \
    --name $svc \
    --resource-group mic-erp-be-dev-apps-rg \
    --query "properties.latestRevisionName" -o tsv
done

---

Troubleshooting Branch Triggers

Symptom	Likely Cause	Resolution
Pipeline not triggered on push	Branch filter doesn't match	Check trigger.branches.include in YAML
Wrong environment targeted	Branch name doesn't match exact patterns	Check case sensitivity (PreProd vs preprod)
Variable group not loaded	ENVIRONMENT variable not set before group reference	Ensure Prepare stage sets ENVIRONMENT before variable group load
Production deploy without approval	ADO environment protection not configured	Set up approval gate in ADO Environments page

---

Related Documentation

• CI/CD Overview — Full pipeline ecosystem
• Orchestrators — Pipeline stages and triggers
• Fast Deploy Path — Manual trigger details
• Infrastructure: Naming — Resource name patterns used in variable groups