From c6ba4ded1ef37ffaa195746bacd8cd339b4e6735 Mon Sep 17 00:00:00 2001
From: Matt Rakow <marakow@microsoft.com>
Date: Fri, 29 May 2026 16:07:10 -0700
Subject: [PATCH 1/2] build: simplify server-* docker auth after enabling
 anonymous pull on mirror ACR

The public mirror ACR now allows anonymous pull, so the per-pipeline
'Fluid Public Mirror Container Registry' service-connection auth is no
longer needed for base-image pulls. This also restores cross-fork PR
compatibility for the server-* pipelines (cross-fork PRs are blocked
from accessing service-connection secrets, which silently caused the
Docker build step to fall back to anonymous pull and 401 against the
previously-locked-down ACR).

The push-side service connection (`$(containerRegistryConnection)`)
is still required when pushing built images in the internal project.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 tools/pipelines/README.md                          | 7 ++-----
 tools/pipelines/templates/build-docker-service.yml | 9 ++-------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/tools/pipelines/README.md b/tools/pipelines/README.md
index 6f7d0f686915..819ee422c08b 100644
--- a/tools/pipelines/README.md
+++ b/tools/pipelines/README.md
@@ -23,11 +23,8 @@ build-arg automatically via its `baseImageRegistry` parameter, which defaults to
 FQDN. Callers can override it if they need a different mirror (e.g. for testing).
 
 The mirror namespace `mirror/docker/library/<image>` is byte-identical to Docker Hub's path, so the
-same Dockerfile reference works against either registry. Anonymous pull is disabled on the mirror,
-so credentials for the `Fluid Public Mirror Container Registry` ADO service connection are flowed
-into the docker build step via `templateContext.authenticatedContainerRegistries` in
-[`templates/build-docker-service.yml`](./templates/build-docker-service.yml). Each ADO project has
-its own service connection (same name) backed by its own AcrPull-only service principal.
+same Dockerfile reference works against either registry. Anonymous pull is enabled on the mirror,
+so no credentials are needed for the base-image pulls.
 
 ### Upgrading a pinned base image
 
diff --git a/tools/pipelines/templates/build-docker-service.yml b/tools/pipelines/templates/build-docker-service.yml
index 3f71b3f213a7..d66689134d74 100644
--- a/tools/pipelines/templates/build-docker-service.yml
+++ b/tools/pipelines/templates/build-docker-service.yml
@@ -600,16 +600,11 @@ extends:
                 pnpm store prune
 
         templateContext:
-          # 'Fluid Public Mirror Container Registry' is required on every run for base-image pulls
-          # (anonymous pull disabled). The push connection $(containerRegistryConnection) is only
-          # added when pushing in the internal project (it's empty in the public project).
+          # The push connection $(containerRegistryConnection) is only added when pushing in the
+          # internal project (it's empty in the public project).
           ${{ if and(eq(parameters.shouldPushDockerImage, true), eq(variables['System.TeamProject'], 'internal')) }}:
             authenticatedContainerRegistries:
             - serviceConnection: $(containerRegistryConnection)
-            - serviceConnection: 'Fluid Public Mirror Container Registry'
-          ${{ else }}:
-            authenticatedContainerRegistries:
-            - serviceConnection: 'Fluid Public Mirror Container Registry'
           outputParentDirectory: $(Build.ArtifactStagingDirectory)
           outputs:
           - ${{ if eq(parameters.pack, true) }}:

From 2ea40baab643925858f892b0800863a9d8acd4f8 Mon Sep 17 00:00:00 2001
From: Matt Rakow <marakow@microsoft.com>
Date: Fri, 5 Jun 2026 11:22:10 -0700
Subject: [PATCH 2/2] build: point base-image mirror at fluidmirror in eastus2

Migrates the server-* base-image mirror from fluidpublicmirror (westus2,
auth'd pull) to fluidmirror (eastus2, anonymous pull). Co-locating the
ACR with the 1ES build pools (also in eastus2) makes legitimate CI
egress free same-region transfer; a Cost Management budget on the new
RG provides an abuse tripwire.

AB#74558

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 tools/pipelines/README.md                          | 8 ++++----
 tools/pipelines/templates/build-docker-service.yml | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tools/pipelines/README.md b/tools/pipelines/README.md
index 819ee422c08b..83a22d85fb73 100644
--- a/tools/pipelines/README.md
+++ b/tools/pipelines/README.md
@@ -8,9 +8,9 @@ releasing the Fluid Framework.
 The `server-*` pipelines run on a 1ES build pool whose network isolation blocks egress to Docker
 Hub, so each server Dockerfile makes its base-image registry overridable via
 `ARG BASE_IMAGE_REGISTRY` and CI overrides it to a mirrored copy on a public-accessible ACR
-(`fluidpublicmirror-ccbba5fhdscnchft.azurecr.io`; the suffix is ACR's Domain Name Label (DNL)
+(`fluidmirror-a5dqhgefbwhmbtag.azurecr.io`; the suffix is ACR's Domain Name Label (DNL)
 hash, added to the login-server FQDN to prevent subdomain-takeover attacks — `az acr` CLI
-commands still take the bare registry name `fluidpublicmirror`). The same mirror is used by both
+commands still take the bare registry name `fluidmirror`). The same mirror is used by both
 the `internal` and `public` ADO projects. Local builds default to Docker Hub and need no changes.
 
 ```dockerfile
@@ -35,10 +35,10 @@ so no credentials are needed for the base-image pulls.
    ```
 
 2. Import it into the mirror. The command requires permission to perform
-   `Microsoft.ContainerRegistry/registries/importImage/action` on `fluidpublicmirror` (held by the
+   `Microsoft.ContainerRegistry/registries/importImage/action` on `fluidmirror` (held by the
    `Contributor` role, but **not** by `AcrPull`):
    ```bash
-   az acr import --name fluidpublicmirror \
+   az acr import --name fluidmirror \
      --source "docker.io/library/node@<new digest>" \
      --image  "mirror/docker/library/node:<new tag>"
    ```
diff --git a/tools/pipelines/templates/build-docker-service.yml b/tools/pipelines/templates/build-docker-service.yml
index d66689134d74..dc441c819ab0 100644
--- a/tools/pipelines/templates/build-docker-service.yml
+++ b/tools/pipelines/templates/build-docker-service.yml
@@ -99,7 +99,7 @@ parameters:
   # internal and public 1ES build pools (egress to docker.io is blocked by network isolation policies).
   - name: baseImageRegistry
     type: string
-    default: 'fluidpublicmirror-ccbba5fhdscnchft.azurecr.io/mirror/docker'
+    default: 'fluidmirror-a5dqhgefbwhmbtag.azurecr.io/mirror/docker'
 
   # If the build is running for a test branch
   - name: testBuild