Enable CFSClean policies and use dotnet-public feed for winget CLI

[mmitche]

• Add networkIsolationPolicy: Permissive, CFSClean, CFSClean2 to the 1ES official pipeline template parameters
• Switch winget CLI installation from PSGallery to dotnet-public Azure Artifacts feed to comply with CFSClean network restrictions

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15442

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15442"

[mmitche]

https://dev.azure.com/dnceng/internal/_build/results?buildId=2931623&view=results

[Copilot]

Pull request overview

Updates the official Azure Pipelines configuration to support CFSClean network isolation policies and adjusts WinGet CLI prep to install the required PowerShell WinGet client module from the dotnet-public Azure Artifacts feed instead of PSGallery, aligning with CFSClean restrictions.

Changes:

• Adds networkIsolationPolicy settings to the 1ES official pipeline template parameters.
• Switches Microsoft.WinGet.Client installation to use the dotnet-public feed by registering it as a PSResource repository.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
eng/pipelines/templates/prepare-winget-manifest.yml	Registers dotnet-public as a PSResource repository and installs Microsoft.WinGet.Client from it before running WinGet manifest generation/validation.
eng/pipelines/azure-pipelines.yml	Adds 1ES settings.networkIsolationPolicy to enable CFSClean/CFSClean2 policies alongside Permissive.

[Copilot]

Register-PSResourceRepository -Name 'dotnet-public' can fail on re-runs or on agents where the repository is already present, which would break the job before WinGet installation. Make the registration idempotent (e.g., check Get-PSResourceRepository first and update/skip, or register with an overwrite/force option if supported).

Suggested change

	Write-Host "Registering dotnet-public feed as PSResource repository..."
	Register-PSResourceRepository -Name 'dotnet-public' `
	-Uri 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json' `
	-Trusted
	Write-Host "Installing Microsoft.WinGet.Client from dotnet-public feed..."
	Install-PSResource -Name Microsoft.WinGet.Client -Repository 'dotnet-public' -TrustRepository
	$repoName = 'dotnet-public'
	$repoUri = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json'
	Write-Host "Ensuring PSResource repository '$repoName' is registered..."
	$existingRepo = Get-PSResourceRepository -Name $repoName -ErrorAction SilentlyContinue
	if ($null -eq $existingRepo) {
	Register-PSResourceRepository -Name $repoName -Uri $repoUri -Trusted
	} else {
	Write-Host "PSResource repository '$repoName' is already registered. Skipping registration."
	}
	Write-Host "Installing Microsoft.WinGet.Client from $repoName feed..."
	Install-PSResource -Name Microsoft.WinGet.Client -Repository $repoName -TrustRepository

[Copilot]

networkIsolationPolicy is currently set to Permissive, CFSClean, CFSClean2 with spaces. Elsewhere in this repo the value is documented/used without spaces (e.g. comment references Permissive,CFSClean in eng/pipelines/release-publish-nuget.yml), and some templates parse this as a comma-delimited list. Consider removing spaces (or using an explicit YAML list, if the 1ES template supports it) to avoid the value being misparsed.

Suggested change

	networkIsolationPolicy: Permissive, CFSClean, CFSClean2
	networkIsolationPolicy: Permissive,CFSClean,CFSClean2