build: run official builds with the R1 network isolation policy (#18753)

This required removing connections during the build to `nuget.org` and
`powershellgallery.com`.

The NuGet Tool task was downloading nuget from `nuget.org`
unconditionally.

The `AzureFileCopy` task was downloading `Az.Accounts` from
`powershellgallery.com` unconditionally.

Both of these tasks have better options nowadays.

Tested and passed in OneBranch on 2025-04-01.

(cherry picked from commit 22c509f426a7d2cdf616bc18143f5bc24f238c4f)
Service-Card-Id: PVTI_lADOAF3p4s4AxadtzgZ0dVQ
Service-Version: 1.23

.github/actions/spelling/expect/expect.txt

@@ -86,6 +86,7 @@ autoscrolling
 Autowrap
 AVerify
 awch
+AZCOPY
 azurecr
 AZZ
 backgrounded
@@ -1416,6 +1417,7 @@ propvar
 propvariant
 propvarutil
 psa
+PSCRED
 PSECURITY
 pseudoconsole
 pseudoterminal

build/pipelines/templates-v2/job-deploy-to-azure-storage.yml

@@ -75,18 +75,13 @@ jobs:
       }
     displayName: "Wrangle Unpackaged builds into place, rename"
 
-  - powershell: |-
+  - task: AzurePowerShell@5
-      Get-PackageProvider -Name NuGet -ForceBootstrap
-      Install-Module -Verbose -AllowClobber -Force Az.Accounts, Az.Storage, Az.Network, Az.Resources, Az.Compute
-    displayName: Install Azure Module Dependencies
-
-  - task: AzureFileCopy@6
     displayName: Publish to Storage Account
     inputs:
-      sourcePath: _out/*
-      Destination: AzureBlob
       azureSubscription: ${{ parameters.subscription }}
-      storage: ${{ parameters.storageAccount }}
+      azurePowerShellVersion: LatestVersion
-      ContainerName: ${{ parameters.storageContainer }}
+      pwsh: true
-      AdditionalArgumentsForBlobCopy: "--content-type application/octet-stream"
+      ScriptType: InlineScript
-
+      Inline: |-
+        $Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"
+        & AzCopy copy "_out\*" "https://${{ parameters.storageAccount }}.blob.core.windows.net/${{ parameters.storageContainer }}/" --content-type application/octet-stream

build/pipelines/templates-v2/job-publish-symbols-using-symbolrequestprod-api.yml

@@ -52,11 +52,6 @@ jobs:
       itemPattern: '**/*.pdb'
       targetPath: '$(Build.SourcesDirectory)/bin'
 
-  - powershell: |-
-      Get-PackageProvider -Name NuGet -ForceBootstrap
-      Install-Module -Verbose -AllowClobber -Force Az.Accounts, Az.Storage, Az.Network, Az.Resources, Az.Compute
-    displayName: Install Azure Module Dependencies
-
   # Transit the Azure token from the Service Connection into a secret variable for the rest of the pipeline to use.
   - task: AzurePowerShell@5
     displayName: Generate an Azure Token

build/pipelines/templates-v2/pipeline-onebranch-full-release-build.yml

@@ -78,7 +78,9 @@ extends:
     template: v2/Microsoft.NonOfficial.yml@templates
   parameters:
     featureFlags:
-      WindowsHostVersion: 1ESWindows2022
+      WindowsHostVersion:
+        Version: 2022
+        Network: R1
     platform:
       name: 'windows_undocked'
       product: 'Windows Terminal'

build/pipelines/templates-v2/steps-ensure-nuget-version.yml

@@ -1,5 +1,12 @@
 steps:
-- task: NuGetToolInstaller@1
+- ${{ if eq(variables['System.CollectionId'], 'cb55739e-4afe-46a3-970f-1b49d8ee7564') }}:
-  displayName: Use NuGet 6.6.1
+  - pwsh: |-
-  inputs:
+      Write-Host "Assuming NuGet is already installed..."
-    versionSpec: 6.6.1
+      & nuget.exe help
+    displayName: Assume NuGet is fine
+
+- ${{ else }}:
+  - task: NuGetToolInstaller@1
+    displayName: Use NuGet 6.6.1
+    inputs:
+      versionSpec: 6.6.1