Use ' - ' separator in release-version build tag

[joperezr]

TL;DR

AzDO's 1ES PT request-validation handler rejects : in build tag names because the agent's ##vso[build.addbuildtag] implementation calls PUT /_apis/build/builds/{buildId}/tags/{tag}, and the : ends up in the URL path:

##[error]A potentially dangerous Request.Path value was detected from the client (:).

This breaks both pipelines that emit the tag:

• Source build (azure-pipelines.yml): https://dev.azure.com/dnceng/internal/_build/results?buildId=2978468
• Release-publish (release-publish-nuget.yml): https://dev.azure.com/dnceng/internal/_build/results?buildId=2978372

Fix

Switch the tag format from release-version:13.3.4 to release-version - 13.3.4, mirroring the existing BAR ID - <id> tag style that AzDO already emits without issue:

Changes:

• eng/pipelines/azure-pipelines.yml — emit release-version - $version instead of release-version:$version.
• eng/pipelines/release-publish-nuget.yml — update the regex parser, error/warning messages, and surrounding comments to match the new format. The redundant cosmetic addbuildtag on the release run stays removed (no functional impact).
• docs/release-process.md — update the two references to the tag format.

Safety

• Only the display format of the tag changes; the parser is updated in lockstep with the emitter.
• A source build done from main (or any release branch that picks up this change) will emit the new format, and the release-publish pipeline run from that same commit will read it correctly.
• For an in-flight release where the source build was made before this change, operators can pass -ReleaseVersion <X.Y.Z> explicitly — the documented override path is unchanged.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17236

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17236"

[Copilot]

Pull request overview

This PR fixes a release pipeline failure in release-publish-nuget by removing an informational build.addbuildtag emission that includes a : character, which can be rejected by AzDO/1ES request-path validation when converted into a REST URL path segment.

Changes:

• Removed ##vso[build.addbuildtag]release-version:$effective from the deriveReleaseVersion step to prevent Request.Path validation failures.
• Kept the functional output (releaseVersionEffective task output variable) intact for downstream consumption.

Show a summary per file

File	Description
eng/pipelines/release-publish-nuget.yml	Removes the build.addbuildtag call that can fail due to : in the tag value, while preserving the output variable used by later steps/stages.

Copilot's findings

• Files reviewed: 1/1 changed files
• Comments generated: 0

[aspire-repo-bot]

✅ No documentation update needed.

docs_optional → build_or_ci_only

No signals triggered (signal_count == 0); only_test_or_build_changes advisory is true.

All 3 changed files are in eng/ or docs/ (internal release-process docs):

• eng/pipelines/azure-pipelines.yml — build tag format fix
• eng/pipelines/release-publish-nuget.yml — regex/comment updates for new tag format
• docs/release-process.md — internal release-operator instructions (not microsoft/aspire.dev user docs)

This is a CI/pipeline-only change fixing AzDO build tag format from release-version:13.3.4 to release-version - 13.3.4. No user-facing API, CLI, configuration, or documentation surface changed.