Remove GitHub PAT usage from release templates

[daviburg]

Removes GitHub PAT usage from the Python release templates and makes GitHub Release identity explicit.

Changes:

• Release branch creation uses checkout: self with persistCredentials: true instead of embedding $(GithubUser):$(GithubPat) in the remote URL.
• Release tag creation checks out the release branch through persisted checkout credentials and pushes the tag without an inline token.
• GitHub draft release creation and asset upload use GitHubRelease@1 via the githubServiceConnection parameter.
• githubServiceConnection is now an explicit release parameter, not an implicit $(GitHubServiceConnection) variable.

Service connection requirement:

• I checked the current azfunc/public and azfunc/internal Azure DevOps projects and did not find an existing GitHub service connection.
• Before this release pipeline can be used end-to-end, the Azure Pipelines project must create/provide a GitHub service connection with write access to Azure/connectors-python-sdk.
• Queue the release pipeline with githubServiceConnection=<service connection name>.

Validation performed in this PR:

• git diff --check
• normal PR CI/YAML checks
• searched the touched release templates for GithubPat, GithubUser, Basic auth, api.github.com, and Invoke-WebRequest; no remaining matches
• resolved Copilot comments about stale # Create GitHub credential comments

End-to-end validation path after service connection creation:

1. Create the GitHub service connection in the Azure Pipelines project with write access to Azure/connectors-python-sdk.
2. Queue eng/ci/library-release.yml with a test/pre-release libraryVersion and githubServiceConnection=<service connection name>.
3. Verify the BumpVersion stage creates/pushes the release branch without GithubPat/GithubUser variables.
4. Verify the Release stage creates a draft GitHub Release and attaches the built .whl / .tar.gz assets through GitHubRelease@1.

[Copilot]

Pull request overview

This PR updates the Azure Pipelines release templates to eliminate inline GitHub PAT usage and instead rely on persisted checkout credentials for git operations and an explicit Azure Pipelines GitHub service connection for GitHub Release creation.

Changes:

• Switch release branch/tag operations to checkout: self with persistCredentials: true instead of embedding $(GithubUser):$(GithubPat) in remote URLs.
• Replace custom PowerShell GitHub REST calls with GitHubRelease@1 using a configurable githubServiceConnection parameter.
• Thread the new githubServiceConnection parameter through the top-level eng/ci/library-release.yml pipeline.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
eng/templates/official/jobs/publish-release.yml	Removes PAT-based clone/REST calls; uses persisted checkout creds for tagging and GitHubRelease@1 for draft release + asset upload.
eng/templates/official/jobs/bump-version.yml	Removes PAT-based remote URL and makes checkout credential persistence explicit for pushing the release branch.
eng/ci/library-release.yml	Adds and passes githubServiceConnection to the release job template to make GitHub Release identity configurable.