Target platforms
Target Platforms
Section titled “Target Platforms”The target field in the front matter determines the output format and execution environment for the compiled pipeline.
standalone (default)
Section titled “standalone (default)”Generates a self-contained Azure DevOps pipeline with:
- Full 3-job pipeline:
Agent→Detection→SafeOutputs - AWF (Agentic Workflow Firewall) L7 domain whitelisting via Squid proxy + Docker
- MCP Gateway (MCPG) for MCP routing with SafeOutputs HTTP backend
- Setup/teardown job support
- All safe output features (create-pull-request, create-work-item, etc.)
This is the recommended target for maximum flexibility and security controls.
Generates a pipeline that extends the 1ES Unofficial Pipeline Template:
- Uses
templateContext.type: buildJobwith Copilot CLI + AWF + MCPG (same execution model as standalone) - Integrates with 1ES SDL scanning and compliance tools
- Full 3-job pipeline: Agent → Detection → SafeOutputs
- Requires 1ES Pipeline Templates repository access
Example:
target: 1esWhen using target: 1es, the pipeline will extend 1es/1ES.Unofficial.PipelineTemplate.yml@1ESPipelinesTemplates.
Generates a job-level ADO YAML template with jobs: at root. This is a
reusable template that can be included in an existing pipeline — it does not
generate a complete pipeline.
The output contains the same 3-job chain (Agent → Detection → SafeOutputs) as
standalone, with:
- Job names prefixed with the agent name for uniqueness (e.g.,
DailyReview_Agent) - No triggers, pipeline name, or resource declarations (the parent pipeline owns those)
- Pool baked in from the front matter
pool:field (vmImageorname; defaults tovmImage: ubuntu-22.04)
Example front matter:
target: jobUsage in a flat pipeline
Section titled “Usage in a flat pipeline”jobs: - job: Build steps: ... - template: agents/review.lock.yml parameters: dependsOn: [Build] # list of upstream job names; omit for implicit dep on previous job condition: succeeded('Build') # optional; ANDed into the agent job's internal conditionUsage inside a user-defined stage
Section titled “Usage inside a user-defined stage”stages: - stage: Build jobs: ... - stage: AgenticReview dependsOn: Build jobs: - template: agents/review.lock.yml- ADO’s
jobs.templateschema only allowstemplate:andparameters:at the call site.dependsOn:andcondition:as bare keys on the- template:line are rejected; the compiled template surfaces them as parameters and applies them to the agent job internally. - When the agent has a Setup job (e.g. PR or pipeline filters), the
dependsOnparameter must be a YAML list — the template uses${{ each }}to mergeSetupwith the caller’s deps, and${{ each }}requires an iterable. For agents without a Setup job, either a string or a list works. - The
conditionparameter is ANDed into the agent job’s existing internal condition. Omit it to preserve ADO’s nativesucceeded()behaviour.
Generates a stage-level ADO YAML template with stages: at root. This
wraps the 3-job chain inside a stage block for direct inclusion in multi-stage
pipelines.
Example front matter:
target: stagestages: - stage: Build jobs: ... - template: agents/review.lock.yml parameters: dependsOn: Build # or [Build, Test]; omit for implicit dep on previous stage condition: succeeded('Build') # optional; omit for ADO's default succeeded()- ADO’s
stages.templateschema only allowstemplate:andparameters:at the call site.dependsOn:andcondition:as bare top-level keys on the- template:line are rejected by the YAML parser. The compiled template surfaces them as parameters and applies them to the inner stage block. - The
dependsOnparameter accepts a single string or a list (matching ADO’s nativedependsOn:semantics). - Same 3-job chain, job-name prefixing, and pool handling as
target: job.
Template Target Considerations
Section titled “Template Target Considerations”Both job and stage targets produce templates with the same 3-job execution chain (Agent → Detection → SafeOutputs), job-name prefixing for uniqueness, and pool configuration baked in from the pool: front-matter field. The difference is only in the YAML wrapper: jobs: at root vs. stages: at root.