adding azure pipeline to do the release instead

.azure-devops/graphitation-release.yml

@@ -0,0 +1,27 @@
+pr: none
+trigger: none
+
+variables:
+  - group: "Github and NPM secrets"
+  - group: InfoSec-SecurityResults
+  - name: tags
+    value: production,externalfacing
+
+jobs:
+  - template: .devops/templates/compliance-job.yml
+  - job: Release
+    dependsOn: Compliance
+    pool: "1ES-Host-Ubuntu"
+    steps:
+      - script: yarn
+      - script: |
+          yarn ci
+        displayName: build and test [test]
+      - script: |
+          git config user.email "gql-svc@microsoft.com"
+          git config user.name "Graphitation Service Account"
+        displayName: Configure git for release
+      - script: yarn release -y -n $(npmToken) --access public
+        displayName: Release
+        env:
+          NPM_AUTHTOKEN: $(githubPAT)

.azure-devops/templates/compliance-job.yml

@@ -0,0 +1,51 @@
+# These steps have to run on a windows machine,
+# and therefore unfortunately can't be integrated in the regular steps
+
+jobs:
+  - job: compliance
+    displayName: Compliance checks
+    pool:
+      name: 1ES-Teams-Win2016-TSW
+    steps:
+      - task: UseDotNet@2
+        condition: succeededOrFailed()
+        displayName: "Use .NET Core sdk 3.x"
+        inputs:
+          version: 3.x
+          steps:
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+        condition: succeededOrFailed()
+        displayName: "🧭 Run Credential Scanner"
+        inputs:
+          debugMode: false
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-eslint.ESLint@1
+        condition: succeededOrFailed()
+        displayName: "🧭 Run ESLint"
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+        displayName: "🧭 Publish Guardian Artifacts - All Tools"
+        inputs:
+          ArtifactType: M365
+        condition: succeededOrFailed()
+
+      - task: AssetRetention@3
+        displayName: 🧭 Arrow Retention
+        inputs:
+          ArrowServiceConnection: "Arrow_domoreexp_Teamspace_PROD"
+          AssetGroupName: "$(System.TeamProject)_$(Build.DefinitionName)"
+          AssetNumber: "$(Build.BuildId)"
+          IsShipped: false
+          DropsToRetain: "CodeAnalysisLogs"
+        condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+        displayName: "🧭 Guardian Break"
+        inputs:
+          GdnBreakPolicyMinSev: Warning
+          GdnBreakAllTools: true
+          GdnBreakGdnToolESLint: true
+          GdnBreakGdnToolESLintSeverity: Warning
+          GdnBreakPolicy: M365
+        condition: succeededOrFailed()

.github/workflows/release.yml

@@ -1,32 +0,0 @@
-name: Release
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [main]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [14.x]
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.repo_pat }}
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
-        with:
-          node-version: ${{ matrix.node-version }}
-      - run: yarn install
-      - run: yarn ci
-      - run: |
-          git config user.email "gql-svc@microsoft.com"
-          git config user.name "Graphitation Service Account"
-      - run: yarn types
-      - run: yarn release -y -n $NPM_AUTHTOKEN --access public
-        env:
-          NPM_AUTHTOKEN: ${{ secrets.npm_authtoken }}