Tracking the S360 Change Management control: No release tasks outside of release jobs in pipeline.
The original .pipelines/modelkit-release-github.yml ran GitHubRelease@1 inside a regular job:, which violates this control. 1ES Official requires release tasks (GitHubRelease@1, EsrpRelease@*, etc.) to live inside a job with templateContext.type: releaseJob.
Remediation: #616 splits the GitHub release pipeline into Prepare (regular job, stages assets and publishes a pipeline artifact) and CreateGitHubRelease (templateContext.type: releaseJob, consumes the artifact and invokes GitHubRelease@1).
The PyPI release pipeline (#473) was authored under the same shape from the start (PublishToESRP is a releaseJob), so it is not affected.
Tracking the S360 Change Management control: No release tasks outside of release jobs in pipeline.
The original
.pipelines/modelkit-release-github.ymlranGitHubRelease@1inside a regularjob:, which violates this control. 1ES Official requires release tasks (GitHubRelease@1,EsrpRelease@*, etc.) to live inside a job withtemplateContext.type: releaseJob.Remediation: #616 splits the GitHub release pipeline into
Prepare(regular job, stages assets and publishes a pipeline artifact) andCreateGitHubRelease(templateContext.type: releaseJob, consumes the artifact and invokesGitHubRelease@1).The PyPI release pipeline (#473) was authored under the same shape from the start (
PublishToESRPis areleaseJob), so it is not affected.