diff --git a/.pipelines/Package-Official.yml b/.pipelines/Package-Official.yml
index 9b88ddcd..f08da0b5 100644
--- a/.pipelines/Package-Official.yml
+++ b/.pipelines/Package-Official.yml
@@ -52,8 +52,7 @@ extends:
         Network: KS3
       WindowsHostVersion:
         Version: 2022
-        # Azure container/blob operations get blocked when using KS3
-        Network: KS2
+        Network: KS3
     globalSdl:
       disableLegacyManifest: true
       # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
diff --git a/.pipelines/Release-Official.yml b/.pipelines/Release-Official.yml
index 1cfd923a..d933f584 100644
--- a/.pipelines/Release-Official.yml
+++ b/.pipelines/Release-Official.yml
@@ -5,6 +5,10 @@ parameters: # parameters are shown up in ADO UI in a build queue time
     displayName: 'Enable debug output'
     type: boolean
     default: false
+  - name: 'publish'
+    displayName: 'Publish artifacts'
+    type: boolean
+    default: true
 
 variables:
   - name: CDP_DEFINITION_BUILD_COUNT
@@ -36,6 +40,8 @@ resources:
 extends:
   template: v2/OneBranch.Official.CrossPlat.yml@templates
   parameters:
+    release:
+      category: NonAzure
     cloudvault:
       enabled: false
     featureFlags:
@@ -43,8 +49,7 @@ extends:
         Network: KS3
       WindowsHostVersion:
         Version: 2022
-        # Azure container/blob operations get blocked when using KS3
-        Network: KS2
+        Network: KS3
     globalSdl:
       asyncSdl:
         enabled: true
@@ -108,22 +113,28 @@ extends:
       dependsOn: UpdateChangeLog
       jobs:
       - template: /.pipelines/templates/release-publish-github.yml@self
+        parameters:
+          publish: ${{ parameters.publish }}
 
     - stage: PublishNuGet
       displayName: Publish NuGet
       dependsOn: PublishGitHubRelease
+      variables:
+        ob_release_environment: Production
       jobs:
       - template: /.pipelines/templates/release-publish-nuget.yml@self
         parameters:
-          publish: true
+          publish: ${{ parameters.publish }}
 
     - stage: PublishModule
       displayName: Publish Module
       dependsOn: PublishGitHubRelease
+      variables:
+        ob_release_environment: Production
       jobs:
       - template: /.pipelines/templates/release-publish-module.yml@self
         parameters:
-          publish: true
+          publish: ${{ parameters.publish }}
 
     - stage: PublishMsix
       dependsOn: PublishGitHubRelease
diff --git a/.pipelines/templates/module-package.yml b/.pipelines/templates/module-package.yml
index 44ed6d66..f64bfdcd 100644
--- a/.pipelines/templates/module-package.yml
+++ b/.pipelines/templates/module-package.yml
@@ -17,7 +17,7 @@ jobs:
     - group: DotNetPrivateBuildAccess
     - group: certificate_logical_to_actual
     - name: ob_sdl_sbom_enabled
-      value: false
+      value: true
     - name: ob_outputDirectory
       value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
     - name: repoRoot
diff --git a/.pipelines/templates/nupkg-package.yml b/.pipelines/templates/nupkg-package.yml
index 6cce9a33..b4ff8db9 100644
--- a/.pipelines/templates/nupkg-package.yml
+++ b/.pipelines/templates/nupkg-package.yml
@@ -26,7 +26,7 @@ jobs:
     - group: mscodehub-feed-read-akv
     - group: DotNetPrivateBuildAccess
     - name: ob_sdl_sbom_enabled
-      value: false
+      value: true
     - name: ob_sdl_codeql_compiled_enabled
       value: false
 
diff --git a/.pipelines/templates/release-publish-github.yml b/.pipelines/templates/release-publish-github.yml
index 19590865..e87cf4c1 100644
--- a/.pipelines/templates/release-publish-github.yml
+++ b/.pipelines/templates/release-publish-github.yml
@@ -1,3 +1,8 @@
+parameters:
+  - name: publish
+    default: false
+    type: boolean
+
 jobs:
 - job: GithubReleaseDraft
   displayName: Create GitHub Release Draft
@@ -84,6 +89,7 @@ jobs:
       $description = '<!-- TODO: Generate release notes on GitHub! -->'
       Publish-ReleaseDraft -Tag $releaseTag -Name "$releaseTag Release of AIShell" -Description $description -User PowerShell -Repository AIShell -PackageFolder $(PackagesRoot) -Token $(GitHubReleasePat)
     displayName: Publish Release Draft
+    condition: and(ne('${{ parameters.publish }}', 'false'), succeeded())
 
 - template: /.pipelines/templates/wait-for-approval.yml@self
   parameters:
diff --git a/.pipelines/templates/release-publish-module.yml b/.pipelines/templates/release-publish-module.yml
index 930856da..8ddb04b5 100644
--- a/.pipelines/templates/release-publish-module.yml
+++ b/.pipelines/templates/release-publish-module.yml
@@ -6,9 +6,15 @@ parameters:
 jobs:
 - job: ModulePublish
   displayName: Publish to PSGallery
+  pool:
+    type: release
+    os: windows
+  templateContext:
+    inputs:
+      - input: pipelineArtifact
+        pipeline: AIShellPackagePipeline
+        artifactName: drop_module_package
   variables:
-    - name: ob_outputDirectory
-      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
     # Disable SBOM, signing, and codeQL for this job
     - name: ob_sdl_sbom_enabled
       value: false
@@ -16,16 +22,13 @@ jobs:
       value: false
     - name: ob_sdl_codeql_compiled_enabled
       value: false
-  pool:
-    type: windows
 
   steps:
-  - download: AIShellPackagePipeline
-    artifact: drop_module_package
-    displayName: Download module package
-
-  - pwsh: |
-      Get-ChildItem '$(Pipeline.Workspace)/AIShellPackagePipeline/drop_module_package/*.nupkg' -recurse
+  - task: PowerShell@2
+    inputs:
+      targetType: 'inline'
+      script: |
+        Get-ChildItem '$(Pipeline.Workspace)/*.nupkg' -recurse
     displayName: List nupkg package
 
   - task: NuGetCommand@2
@@ -33,6 +36,6 @@ jobs:
     condition: and(ne('${{ parameters.publish }}', 'false'), succeeded())
     inputs:
       command: push
-      packagesToPush: '$(Pipeline.Workspace)/AIShellPackagePipeline/drop_module_package/*.nupkg'
+      packagesToPush: '$(Pipeline.Workspace)/*.nupkg'
       nuGetFeedType: external
       publishFeedCredentials: PowerShellGallery-dongbow
diff --git a/.pipelines/templates/release-publish-nuget.yml b/.pipelines/templates/release-publish-nuget.yml
index dcca93ff..2eb7d515 100644
--- a/.pipelines/templates/release-publish-nuget.yml
+++ b/.pipelines/templates/release-publish-nuget.yml
@@ -8,19 +8,28 @@ jobs:
   displayName: Publish to NuGet
   condition: succeeded()
   pool:
-    type: windows
+    type: release
+    os: windows
+  templateContext:
+    inputs:
+      - input: pipelineArtifact
+        pipeline: AIShellPackagePipeline
+        artifactName: drop_nupkg_package
   variables:
-  - group: 'mscodehub-code-read-akv'
-  - name: ob_outputDirectory
-    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    # Disable SBOM, signing, and codeQL for this job
+    - name: ob_sdl_sbom_enabled
+      value: false
+    - name: ob_signing_setup_enabled
+      value: false
+    - name: ob_sdl_codeql_compiled_enabled
+      value: false
 
   steps:
-  - download: AIShellPackagePipeline
-    artifact: drop_nupkg_package
-    displayName: Download nuget packages
-
-  - pwsh: |
-      Get-ChildItem '$(Pipeline.Workspace)/AIShellPackagePipeline/drop_nupkg_package/*.nupkg' -recurse
+  - task: PowerShell@2
+    inputs:
+      targetType: 'inline'
+      script: |
+        Get-ChildItem '$(Pipeline.Workspace)/*.nupkg' -recurse
     displayName: List nupkg package
 
   - task: NuGetCommand@2
@@ -28,6 +37,6 @@ jobs:
     condition: and(ne('${{ parameters.publish }}', 'false'), succeeded())
     inputs:
       command: push
-      packagesToPush: '$(Pipeline.Workspace)/AIShellPackagePipeline/drop_nupkg_package/*.nupkg'
+      packagesToPush: '$(Pipeline.Workspace)/*.nupkg'
       nuGetFeedType: external
       publishFeedCredentials: PowerShellNuGetOrgPush