From 1c9a13d2d4f589b8fd36e3b36353d2dd480b64c1 Mon Sep 17 00:00:00 2001
From: "Matt Mitchell (.NET)" <mmitche@microsoft.com>
Date: Thu, 19 Mar 2026 08:02:58 -0700
Subject: [PATCH 1/3] Enable CFSClean policies and use dotnet-public feed for
 winget CLI

- Add networkIsolationPolicy: Permissive, CFSClean, CFSClean2 to
  the 1ES official pipeline template parameters
- Switch winget CLI installation from PSGallery to dotnet-public
  Azure Artifacts feed to comply with CFSClean network restrictions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 eng/pipelines/azure-pipelines.yml                   | 2 ++
 eng/pipelines/templates/prepare-winget-manifest.yml | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml
index 5850f2ee702..cf8aba64690 100644
--- a/eng/pipelines/azure-pipelines.yml
+++ b/eng/pipelines/azure-pipelines.yml
@@ -105,6 +105,8 @@ resources:
 extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
   parameters:
+    settings:
+      networkIsolationPolicy: Permissive, CFSClean, CFSClean2
     featureFlags:
       autoEnablePREfastWithNewRuleset: false
       autoEnableRoslynWithNewRuleset: false
diff --git a/eng/pipelines/templates/prepare-winget-manifest.yml b/eng/pipelines/templates/prepare-winget-manifest.yml
index 386837a2749..256964e5617 100644
--- a/eng/pipelines/templates/prepare-winget-manifest.yml
+++ b/eng/pipelines/templates/prepare-winget-manifest.yml
@@ -57,8 +57,13 @@ steps:
     displayName: 🟣Set version ${{ parameters.version }}
 
   - pwsh: |
-      Write-Host "Installing Microsoft.WinGet.Client from PSGallery..."
-      Install-PSResource -Name Microsoft.WinGet.Client -Repository PSGallery -TrustRepository
+      Write-Host "Registering dotnet-public feed as PSResource repository..."
+      Register-PSResourceRepository -Name 'dotnet-public' `
+        -Uri 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json' `
+        -Trusted
+
+      Write-Host "Installing Microsoft.WinGet.Client from dotnet-public feed..."
+      Install-PSResource -Name Microsoft.WinGet.Client -Repository 'dotnet-public' -TrustRepository
 
       Write-Host "Microsoft.WinGet.Client installed. Listing installed version:"
       Get-Module -ListAvailable Microsoft.WinGet.Client | Select-Object Name, Version | Format-Table

From 2bc919370bd2c7804fe99eba297252216a2df336 Mon Sep 17 00:00:00 2001
From: Ankit Jain <radical@gmail.com>
Date: Mon, 23 Mar 2026 15:18:43 -0400
Subject: [PATCH 2/3] Update
 eng/pipelines/templates/prepare-winget-manifest.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../templates/prepare-winget-manifest.yml       | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/eng/pipelines/templates/prepare-winget-manifest.yml b/eng/pipelines/templates/prepare-winget-manifest.yml
index 256964e5617..26231ea2da3 100644
--- a/eng/pipelines/templates/prepare-winget-manifest.yml
+++ b/eng/pipelines/templates/prepare-winget-manifest.yml
@@ -57,14 +57,19 @@ steps:
     displayName: 🟣Set version ${{ parameters.version }}
 
   - pwsh: |
-      Write-Host "Registering dotnet-public feed as PSResource repository..."
-      Register-PSResourceRepository -Name 'dotnet-public' `
-        -Uri 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json' `
-        -Trusted
+      $repoName = 'dotnet-public'
+      $repoUri = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json'
 
-      Write-Host "Installing Microsoft.WinGet.Client from dotnet-public feed..."
-      Install-PSResource -Name Microsoft.WinGet.Client -Repository 'dotnet-public' -TrustRepository
+      Write-Host "Ensuring PSResource repository '$repoName' is registered..."
+      $existingRepo = Get-PSResourceRepository -Name $repoName -ErrorAction SilentlyContinue
+      if ($null -eq $existingRepo) {
+        Register-PSResourceRepository -Name $repoName -Uri $repoUri -Trusted
+      } else {
+        Write-Host "PSResource repository '$repoName' is already registered. Skipping registration."
+      }
 
+      Write-Host "Installing Microsoft.WinGet.Client from $repoName feed..."
+      Install-PSResource -Name Microsoft.WinGet.Client -Repository $repoName -TrustRepository
       Write-Host "Microsoft.WinGet.Client installed. Listing installed version:"
       Get-Module -ListAvailable Microsoft.WinGet.Client | Select-Object Name, Version | Format-Table
 

From f564e75d1b907b71a74f2cd0df7d58c0bbd2788f Mon Sep 17 00:00:00 2001
From: Ankit Jain <radical@gmail.com>
Date: Mon, 23 Mar 2026 15:19:18 -0400
Subject: [PATCH 3/3] Update eng/pipelines/azure-pipelines.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 eng/pipelines/azure-pipelines.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml
index cf8aba64690..d6653237165 100644
--- a/eng/pipelines/azure-pipelines.yml
+++ b/eng/pipelines/azure-pipelines.yml
@@ -106,7 +106,7 @@ extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
   parameters:
     settings:
-      networkIsolationPolicy: Permissive, CFSClean, CFSClean2
+      networkIsolationPolicy: Permissive,CFSClean,CFSClean2
     featureFlags:
       autoEnablePREfastWithNewRuleset: false
       autoEnableRoslynWithNewRuleset: false