PowerShell · andyleejordan · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 6, 2026
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -3,7 +3,10 @@
 registry-auth = true
 
 [registries]
-POWERSHELL = { index = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/Cargo/index/" }
+DSCCargoMirror = { index = "sparse+https://pkgs.dev.azure.com/msazure/One/_packaging/DSCCargoMirror/Cargo/index/" }
+
+[source.crates-io]
+replace-with = "DSCCargoMirror"
 
 [registry]
 global-credential-providers = ["cargo:token"]
@@ -36,10 +39,6 @@ rustflags = [
     "-Dwarnings"
 ]
 
-# The following is only needed for release builds
-[source.crates-io]
-replace-with = "POWERSHELL"
-
 # Enable running `cargo xtask <command>`
 [alias]
 xtask = "run --package xtask --"
diff --git a/.github/instructions/instructions.md b/.github/instructions/instructions.md
@@ -416,7 +416,6 @@ The build script automatically installs these. If issues persist:
 | `-UseCFS` | Switch | Use Component Framework Service |
 | `-UpdateLockFile` | Switch | Update Cargo.lock file |
 | `-Audit` | Switch | Run cargo audit for security vulnerabilities |
-| `-UseCFSAuth` | Switch | Use CFS authentication |
 | `-Clean` | Switch | Clean build artifacts before building |
 | `-CacheRustBuild` | Switch | Cache Rust build artifacts |
 | `-RustDocs` | Switch | Generate Rust documentation |

diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml
@@ -65,7 +65,6 @@ extends:
         forStages: [Build]
         credscan:
           enabled: true
-          scanFolder:  $(System.DefaultWorkingDirectory)
         binskim:
           enabled: true
         apiscan:
@@ -83,44 +82,29 @@ extends:
           type: windows
           vmImage: windows-latest
         variables:
-          repoRoot: '$(System.DefaultWorkingDirectory)\DSC'
-          ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json'
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
           ob_sdl_sbom_enabled: false
           ob_signing_setup_enabled: false
           ob_sdl_codeql_compiled_enabled: false
         steps:
-        - checkout: self
         - pwsh: |
-            Write-Verbose -Verbose (Get-ChildItem '$(repoRoot)' | Out-String)
-            $packageVersion = $(repoRoot)/packaging.ps1 -GetPackageVersion
+            $packageVersion = ./packaging.ps1 -GetPackageVersion
             $vstsCommandString = "vso[task.setvariable variable=Version;isoutput=true]$packageVersion"
             Write-Host ("sending " + $vstsCommandString)
             Write-Host "##$vstsCommandString"
           name: Package
           displayName: Set Package Version
-        - task: AzureCLI@2
-          displayName: Get Az Token
-          inputs:
-            azureSubscription: PowerShell-CICD-Feed-Access
-            scriptType: pscore
-            scriptLocation: inlineScript
-            inlineScript: |
-              $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
-              $vstsCommandString = "vso[task.setvariable variable=AzToken;isoutput=true]$token"
-              Write-Host "Setting token"
-              Write-Host "##$vstsCommandString"
 
       - job: BuildWin_x64
         dependsOn: SetPackageVersion
         variables:
-          ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json'
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
           signSrcPath: '$(System.DefaultWorkingDirectory)\out'
-          AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ]
           ob_sdl_sbom_enabled: true
           ob_signing_setup_enabled: true
           ob_sdl_codeql_compiled_enabled: true
+          ob_symbolsPublishing_enabled: true
+          ob_symbolsPublishing_indexSources: true
         pool:
           type: windows
         steps:
@@ -129,19 +113,18 @@ extends:
             buildName: x86_64-pc-windows-msvc
             signSrcPath: '$(signSrcPath)'
             PackageRoot: '$(PackageRoot)'
-            aztoken: '$(AzToken)'
             rustSDK: '$(Rust.SDK)'
 
       - job: BuildWin_arm64
         dependsOn: SetPackageVersion
         variables:
-          ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json'
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
           signSrcPath: '$(System.DefaultWorkingDirectory)\out'
-          AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ]
           ob_sdl_sbom_enabled: true
           ob_signing_setup_enabled: true
           ob_sdl_codeql_compiled_enabled: true
+          ob_symbolsPublishing_enabled: true
+          ob_symbolsPublishing_indexSources: true
         pool:
           type: windows
         steps:
@@ -150,7 +133,6 @@ extends:
             buildName: aarch64-pc-windows-msvc
             signSrcPath: '$(signSrcPath)'
             PackageRoot: '$(PackageRoot)'
-            aztoken: '$(AzToken)'
             rustSDK: '$(Rust.SDK)'
 
       - job: CreateMsixBundle
@@ -159,32 +141,24 @@ extends:
           - BuildWin_arm64
         variables:
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
-          ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json'
-          ob_symbolsPublishing_enabled: true
-          ob_symbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)\DSC\bin'
-          ob_symbolsPublishing_searchPattern: '**/*.pdb'
-          ob_symbolsPublishing_indexSources: true
           ob_sdl_sbom_enabled: false
           ob_signing_setup_enabled: false
           ob_sdl_codeql_compiled_enabled: false
-          ob_restore_phase: true
         pool:
           type: windows
         steps:
-        - checkout: self
         - download: current
           artifact: drop_BuildAndSign_BuildWin_x64
           patterns: '*.msix'
         - download: current
           artifact: drop_BuildAndSign_BuildWin_arm64
           patterns: '*.msix'
         - pwsh: |
-            Set-Location "$(System.DefaultWorkingDirectory)\DSC"
             $null = New-Item -ItemType Directory -Path "./bin/msix" -Force -ErrorAction Ignore
             Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_x64/*.msix" ./bin/msix -Verbose
             Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_arm64/*.msix" ./bin/msix -Verbose
-            ./build.ps1 -PackageType msixbundle
-            Copy-Item "$(System.DefaultWorkingDirectory)/DSC/bin/*.msixbundle" "$(ob_outputDirectory)"
+            ./build.ps1 -Release -PackageType msixbundle
+            Copy-Item "./bin/*.msixbundle" "$(ob_outputDirectory)"
           displayName: 'Create msixbundle'
           condition: succeeded()
 
@@ -302,29 +276,24 @@ extends:
         variables:
           LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
           PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ]
-          AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ]
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
-          ob_linuxSymbolsPublishing_enabled: true
-          ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin'
-          ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg'
         displayName: Linux-x64-musl
         pool:
           type: linux
         steps:
         - task: RustInstaller@1
           inputs:
-            rustVersion: ms-stable
+            rustVersion: ms-prod-1.93
             toolchainFeed: $(Rust.SDK)
             additionalTargets: x86_64-unknown-linux-musl
           displayName: Install Rust
-          env:
-            ob_restore_phase: true
+        - task: CargoAuthenticate@0
+          inputs:
+            configFile: '.cargo/config.toml'
+          displayName: Authenticate with Azure Artifacts
         - pwsh: |
             apt update
             apt -y install musl-tools rpm dpkg build-essential protobuf-compiler
-            $header = "Bearer $(AzToken)"
-            $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header
-            $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token'
             ./build.ps1 -Release -Architecture x86_64-unknown-linux-musl
             ./packaging.ps1 -PackageType tgz -Architecture x86_64-unknown-linux-musl -Release
             ./packaging.ps1 -PackageType rpm -Architecture x86_64-unknown-linux-musl -Release
@@ -340,32 +309,22 @@ extends:
         variables:
           LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204-arm64:latest'
           PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ]
-          AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ]
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
-          ob_linuxSymbolsPublishing_enabled: true
-          ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin'
-          ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg'
         displayName: Linux-ARM64-musl
         pool:
           type: linux
           hostArchitecture: arm64
         steps:
         - task: RustInstaller@1
           inputs:
-            rustVersion: ms-stable
+            rustVersion: ms-prod-1.93
             toolchainFeed: $(Rust.SDK)
             additionalTargets: aarch64-unknown-linux-musl
           displayName: Install Rust
-          env:
-            ob_restore_phase: true
-        - task: AzureCLI@2
-          displayName: Azure CLI
+        - task: CargoAuthenticate@0
           inputs:
-            azureSubscription: PowerShell-CICD-Feed-Access
-            scriptType: pscore
-            scriptLocation: inlineScript
-            inlineScript: |
-              az account show
+            configFile: '.cargo/config.toml'
+          displayName: Authenticate with Azure Artifacts
         - pwsh: |
             $env:CC_aarch64_unknown_linux_musl='clang'
             $env:AR_aarch64_unknown_linux_musl='llvm-ar'
@@ -386,9 +345,6 @@ extends:
             if ((openssl version -d) -match 'OPENSSLDIR: "(?<dir>.*?)"') {
               $env:OPENSSL_LIB_DIR = $matches['dir']
             }
-            $header = "Bearer $(AzToken)"
-            $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header
-            $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token'
             ./build.ps1 -Release -Architecture aarch64-unknown-linux-musl
             ./packaging.ps1 -PackageType tgz -Architecture aarch64-unknown-linux-musl -Release
             ./packaging.ps1 -PackageType rpm -Architecture aarch64-unknown-linux-musl -Release
@@ -403,7 +359,6 @@ extends:
         dependsOn: SetPackageVersion
         variables:
           PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ]
-          AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ]
           ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
         displayName: BuildMac
         pool:
@@ -420,24 +375,15 @@ extends:
         steps:
         - task: RustInstaller@1
           inputs:
-            rustVersion: ms-stable
+            rustVersion: ms-prod-1.93
             toolchainFeed: $(Rust.SDK)
             additionalTargets: $(buildName)
           displayName: Install Rust
-          env:
-            ob_restore_phase: true
-        - task: AzureCLI@2
-          displayName: Azure CLI
+        - task: CargoAuthenticate@0
           inputs:
-            azureSubscription: PowerShell-CICD-Feed-Access
-            scriptType: pscore
-            scriptLocation: inlineScript
-            inlineScript: |
-              az account show
+            configFile: '.cargo/config.toml'
+          displayName: Authenticate with Azure Artifacts
         - pwsh: |
-            $header = "Bearer $(AzToken)"
-            $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header
-            $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token'
             Write-Verbose -Verbose "Building for $(buildName)"
             ./build.ps1 -Release -Architecture $(buildName)
             ./packaging.ps1 -PackageType tgz -Architecture $(buildName) -Release

diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml
@@ -8,41 +8,25 @@ parameters:
   - name: BuildConfiguration
     type: string
     default: Release
-  - name: aztoken
-    type: string
   - name: RustSDK
     type: string
 
 steps:
-- checkout: self
-  env:
-    ob_restore_phase: true
-- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
-  inputs:
-    Enabled: true
-    AnalyzeInPipeline: true
-    Language: rust
-  env:
-    ob_restore_phase: true
 - pwsh: |
     $tmpdir = "$(Agent.TempDirectory)"
     Write-Host "##vso[task.setvariable variable=CARGO_TARGET_DIR;]$tmpdir"
   displayName: 🛠️ Workaround for the LoadLibrary ACCESS_VIOLATION OneBranch issue
-  env:
-    ob_restore_phase: true
 - task: RustInstaller@1
   inputs:
-    rustVersion: ms-stable
+    rustVersion: ms-prod-1.93
     toolchainFeed: ${{ parameters.RustSDK }}
     additionalTargets: ${{ parameters.buildName }}
   displayName: Install Rust
-  env:
-    ob_restore_phase: true
+- task: CargoAuthenticate@0
+  inputs:
+    configFile: '.cargo/config.toml'
+  displayName: Authenticate with Azure Artifacts
 - pwsh: |
-    $header = "Bearer ${{ parameters.aztoken }}"
-    $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header
-    $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token'
-    Set-Location "$(Build.SourcesDirectory)/DSC"
     $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin"
     if (!(Test-Path $LLVMBIN)) {
       throw "LLVM path '$LLVMBIN' does not exist"
@@ -52,13 +36,6 @@ steps:
     Write-Verbose -Verbose "Building for ${{ parameters.buildName }}"
     ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose
   displayName: 'Build ${{ parameters.buildName }}'
-  env:
-    ob_restore_phase: true
-  condition: succeeded()
-- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
-  condition: always()
-  env:
-    ob_restore_phase: true
 - pwsh: |
     $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}" -ErrorAction Ignore
     $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}/out" -ErrorAction Ignore
@@ -68,13 +45,10 @@ steps:
     # copy only the exes from the TMP folder since it contains intermediately built files we don't want to sign
     write-host 'Binaries in ${env:CARGO_TARGET_DIR}'
     Copy-Item -Path "$env:CARGO_TARGET_DIR/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*.exe" -Destination "${{ parameters.signSrcPath }}" -Verbose
-    Copy-Item -Path "$(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force
+    Copy-Item -Path "./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force
     write-host 'Binaries in ${{ parameters.signSrcPath }}'
     dir -r "${{ parameters.signSrcPath }}"
   displayName: Copy built binaries
-  env:
-    ob_restore_phase: true
-  condition: succeeded()
 - task: onebranch.pipeline.signing@1
   displayName: Sign 1st party files
   inputs:
@@ -91,17 +65,13 @@ steps:
   inputs:
     SourceFolder: "${{ parameters.signSrcPath }}"
     Contents: '**'
-    TargetFolder: $(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}
+    TargetFolder: ./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}
     OverWrite: true
 - pwsh: |
-    Set-Location "$(Build.SourcesDirectory)/DSC"
     ./packaging.ps1 -PackageType zip -Architecture ${{ parameters.buildName }} -Release
     Copy-Item ./bin/*.zip "$(Build.ArtifactStagingDirectory)" -Verbose
   displayName: 'Zip ${{ parameters.buildName }}'
-  condition: succeeded()
 - pwsh: |
-    Set-Location "$(Build.SourcesDirectory)/DSC"
     ./build.ps1 -PackageType msix -Architecture ${{ parameters.buildName }} -Release -UseX64MakeAppx
     Copy-Item ./bin/msix/*.msix "$(Build.ArtifactStagingDirectory)" -Verbose
   displayName: 'Create msix for ${{ parameters.buildName }}'
-  condition: succeeded()