Skip to content
ado-aw

Target platforms

Target Platforms

Section titled “Target Platforms”

The target field in the front matter determines the output format and execution environment for the compiled pipeline.

standalone (default)

Section titled “standalone (default)”

Generates a self-contained Azure DevOps pipeline with:

  • Full 3-job pipeline: Agent -> Detection -> SafeOutputs
  • AWF (Agentic Workflow Firewall) L7 domain whitelisting via Squid proxy + Docker
  • MCP Gateway (MCPG) for MCP routing with SafeOutputs HTTP backend
  • Setup/teardown job support
  • All safe output features (create-pull-request, create-work-item, etc.)

This is the recommended target for maximum flexibility and security controls.

1es

Section titled “1es”

Generates a pipeline that extends the 1ES Unofficial Pipeline Template:

  • Uses templateContext.type: buildJob with Copilot CLI + AWF + MCPG (same execution model as standalone)
  • Integrates with 1ES SDL scanning and compliance tools
  • Full 3-job pipeline: Agent -> Detection -> SafeOutputs
  • Requires 1ES Pipeline Templates repository access

Example:

target: 1es

When using target: 1es, the pipeline will extend 1es/1ES.Unofficial.PipelineTemplate.yml@1ESPipelinesTemplates.

job

Section titled “job”

Generates a job-level ADO YAML template with jobs: at root. This is a reusable template that can be included in an existing pipeline — it does not generate a complete pipeline.

The output contains the same 3-job chain (Agent -> Detection -> SafeOutputs) as standalone, with:

  • Job names prefixed with the agent name for uniqueness (e.g., DailyReview_Agent)
  • No triggers, pipeline name, or resource declarations (the parent pipeline owns those)
  • Pool baked in from the front matter pool: field

Example front matter:

target: job

Usage in a flat pipeline

Section titled “Usage in a flat pipeline”
jobs:
  - job: Build
    steps: ...
  - template: agents/review.lock.yml

Usage inside a user-defined stage

Section titled “Usage inside a user-defined stage”
stages:
  - stage: Build
    jobs: ...
  - stage: AgenticReview
    dependsOn: Build
    jobs:
      - template: agents/review.lock.yml

Notes

Section titled “Notes”
  • Triggers (on:) are ignored with a warning (the parent pipeline controls triggers)
  • If the agent declares additional repositories via repos:, add them to the parent pipeline’s resources: block (documented in the generated file header)

stage

Section titled “stage”

Generates a stage-level ADO YAML template with stages: at root. This wraps the 3-job chain inside a stage block for direct inclusion in multi-stage pipelines.

Example front matter:

target: stage

Usage

Section titled “Usage”
stages:
  - stage: Build
    jobs: ...
  - template: agents/review.lock.yml
    dependsOn: Build
    condition: succeeded()

ADO natively supports dependsOn and condition at the template call site — no template parameters are needed for stage ordering.

Notes

Section titled “Notes”
  • Same 3-job chain, job-name prefixing, and pool handling as target: job
  • Triggers (on:) are ignored with a warning
  • If the agent declares additional repositories via repos:, add them to the parent pipeline’s resources: block