We need an entire separate infrastructure environment for internal azure devops PRs

[riarenas]

Guidance in https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/onboardingesteams/security-compliance shows we need to separate the PR and official build environment entirely. New hosted pools and service connections.

Release Note Category

• [ ] Feature changes/additions
• [ ] Bug fixes
• [ ] Internal Infrastructure Improvements

  Release Note Description

[missymessa]

Ops: Need to determine how much work this will be, and what the deadline (if any) is for this work.

[riarenas]

while the documentation mentions that this is not something enforced by 1ES PT. It specifically calls scenarios where PR builds have any access to the same resources as official builds, and we share the machine pools and images with things like the signing resources.

I don't think there will be a separate deadline tracking this, but isolating internal PRs is still the right thing to do according to the guidance and motivation.