I learned that when you pass signingIdentity, and provisioningProfileUuid that Xcode (starting Xcode14) applies these to every target (even the target from SPM packages). I then changed the @Xcode@5 task to use exported plist option instead where I could set the method to enterprise and configure the profile and certificate for Release scheme.

This is the task I am using in Azure DevOps pipeline. - task: Xcode@5 inputs: actions: 'build' scheme: 'redacted' signingOption: 'manual' signingIdentity: '$(APPLE_CERTIFICATE_SIGNING_IDENTITY)' provisioningProfileUuid: '$(APPLE_PROV_PROFILE_UUID)' sdk: 'iphoneos' configuration: 'Release' xcWorkspacePath: '**/*.xcodeproj/project.xcworkspace' xcodeVersion: 'specifyPath' xcodeDeveloperDir: '/Applications/Xcode_15.4.app' packageApp: true archivePath: '$(Build.BinariesDirectory)/build/' exportPath: '$(Build.BinariesDirectory)/build/' useXCPretty: false`

I guess I can answer the 2nd part of my own question. Xcode Cloud can be used for repository, building and managing apps. And TestFlight and App Store facilitate crash reports that can be analyzed directly with Crashes organizer in Xcode.