Refactor: separate pipelines per environment into single deployment pipeline

[julie-ng]

Purpose

Previously we had separate dev.yaml and production.yaml pipelines. In part because I was paranoid about what code was going where and tried to get security via code, e.g. this vars/global.yaml.

variables:
  isMain:              ${{ eq(variables['Build.SourceBranch'], 'refs/heads/main') }}
  isProduction:        ${{ eq(variables['Build.SourceBranch'], 'refs/heads/production') }}
  isTag:               ${{ startsWith(variables['Build.SourceBranch'], 'refs/tags/v') }}
  isFork:              ${{ eq(variables['System.PullRequest.IsFork'], 'True') }}
  isPR:                ${{ eq(variables['Build.Reason'], 'PullRequest') }}
  isTrustedCode:       ${{ eq(variables.isFork, 'False') }}
  isScheduled:         ${{ eq(variables['Build.Reason'], 'Schedule') }}
  isTrustedCI:         ${{ and( eq(variables.isFork,'False'), eq(variables.isPR,'False'), eq(variables.isScheduled,'False') ) }}

Actually this is convoluted. Instead, we will

• apply security guardrails in form of Approval on the credentials (service connection or variable group)
• using single pipeline allows for linear CI --> Dev --> Production staging visualization that many customers want.

Instead of looking for which branch triggered the deployment, we can recognize from the circles, which environment was deployed. Note: in the current YAML, main and production are separate triggers. So you will never get all 3 stages (e.g. circles) green in a single pipeline run.