(DO NOT MERGE) Improve release pipeline reliability and 1ES compliance

[vmoroz]

Description

Overhaul the Release pipeline (release.yml) to fix triggering issues, improve 1ES compliance, and reduce code duplication. Also harden the Publish pipeline's symbol publishing step.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Automation (AI changes or Github Actions to reduce effort of manual tasks)

Why

The Release pipeline had several issues:

• Dual trigger definitions (YAML + UI) caused incorrect pipeline metadata (wrong PR title/branch shown)
• Non-release Publish builds (e.g. canary) could trigger a release
• Jobs were not marked as 1ES release jobs, causing SDL baseline warnings
• ADO NuGet push logic was duplicated across two jobs
• Symbol publishing failed on re-runs due to duplicate PDB errors
• PushNuGetOrg used errorActionPreference: silentlyContinue, hiding real errors

What

release.yml:

• Removed YAML pipeline resource trigger (triggering is now UI-only, avoiding metadata confusion)
• Added pr: none and explicit trigger: none on pipeline resource
• Added stage condition: auto-triggered runs require RELEASE: commit message prefix; manual runs always proceed
• Marked all jobs as type: releaseJob / isProduction: true for 1ES compliance
• Replaced duplicated ADO NuGet push code with a shared template (publish-nuget-to-ado-feed.yml)
• Replaced checkout: self in PushNpm with artifact-based npmPack.js (no checkout needed)
• Replaced PowerShell-based NuGet.org push with script steps (fixing dir /S incompatibility in PowerShell)
• Removed errorActionPreference: silentlyContinue from NuGet.org push
• Removed redundant canary build check (now handled by RELEASE: stage condition)
• Set timeoutInMinutes: 30 on all jobs (was 0/infinite)
• Fixed display name: PushPrivateAdo NuGet task now correctly says "ms/react-native"
• Added header comment explaining pipeline purpose

publish.yml:

• Make sure that we always sign binaries and Nuget packages.
• Added continueOnError: true to PublishSymbols@2 (duplicate symbols on re-run are harmless)
• Added step to include npmPack.js in the VersionEnvVars artifact

npmPack.js:

• Skip findEnlistmentRoot() when --no-pack is used with an absolute target path (enables running from artifact without repo checkout)

New: .ado/templates/publish-nuget-to-ado-feed.yml

• Reusable template for ADO NuGet feed publishing (Managed Identity auth + 1ES.PublishNuGet)
• Includes continueOnError: true for idempotent re-runs

Deleted: authenticate-office-react-native-windows-bot.yml

• Unused template (no references in codebase)

Screenshots

N/A

Testing

Manually ran the Release pipeline against the 0.81-stable Publish artifacts. Verified:

• All four publish jobs execute successfully
• ADO NuGet feeds handle duplicate packages gracefully (continueOnError)
• nuget.org push handles duplicates via -SkipDuplicate
• Stage condition correctly skips non-RELEASE builds and allows manual runs

Changelog

Should this change be included in the release notes: no

Microsoft Reviewers: Open in CodeFlow