From 220283d5fa02f538985b4518109b0fffe5c3cad1 Mon Sep 17 00:00:00 2001 From: Eric StJohn Date: Wed, 8 Oct 2025 09:50:51 -0700 Subject: [PATCH 1/2] Test just CFSClean networkIsolationPolicy See https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation `CFSClean` will apply policy that blocks public package manager endpoints. `Permissive` allows everything else, but we shouldn't do this by default. Let's try being more restrictive and only add `Permissive` if we don't have more granular policies to enable. --- eng/pipelines/azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml index 577c2ae399..886239e19c 100644 --- a/eng/pipelines/azure-pipelines.yml +++ b/eng/pipelines/azure-pipelines.yml @@ -32,7 +32,7 @@ extends: image: 1es-windows-2022 os: windows settings: - networkIsolationPolicy: Permissive,CFSClean + networkIsolationPolicy: CFSClean stages: - stage: build displayName: Build @@ -66,3 +66,4 @@ extends: enableSigningValidation: false symbolPublishingAdditionalParameters: /p:PublishToSymWeb=false /p:PublishToMSDL=false + From 3b82e6da0ae6a3580908c1562dc813806fb08120 Mon Sep 17 00:00:00 2001 From: Eric StJohn Date: Wed, 8 Oct 2025 13:32:16 -0700 Subject: [PATCH 2/2] Use Preferred networkIsolationPolicy --- eng/pipelines/azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml index 886239e19c..d83c30100f 100644 --- a/eng/pipelines/azure-pipelines.yml +++ b/eng/pipelines/azure-pipelines.yml @@ -32,7 +32,7 @@ extends: image: 1es-windows-2022 os: windows settings: - networkIsolationPolicy: CFSClean + networkIsolationPolicy: Preferred,CFSClean stages: - stage: build displayName: Build @@ -67,3 +67,4 @@ extends: symbolPublishingAdditionalParameters: /p:PublishToSymWeb=false /p:PublishToMSDL=false +