dotnet · dotnet-docker-bot · Feb 3, 2026 · Jan 26, 2026
@@ -91,8 +91,6 @@ jobs:
         --architecture $(architecture)
         --retry
         --digests-out-var 'builtImages'
-        --acr-subscription '${{ parameters.publishConfig.BuildRegistry.subscription }}'
-        --acr-resource-group '${{ parameters.publishConfig.BuildRegistry.resourceGroup }}'
         $(manifestVariables)
         $(imageBuilderBuildArgs)
   - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self

@@ -97,8 +97,6 @@ jobs:
       internalProjectName: ${{ parameters.internalProjectName }}
       args: >-
         copyAcrImages
-        '${{ parameters.publishConfig.BuildRegistry.subscription }}'
-        '${{ parameters.publishConfig.BuildRegistry.resourceGroup }}'
         '${{ parameters.publishConfig.BuildRegistry.repoPrefix }}'
         '${{ parameters.publishConfig.BuildRegistry.server }}'
         --os-type '*'

@@ -53,35 +53,44 @@ stages:
       InternalMirrorRegistry:
         server: $(acr-staging-test.server)
         repoPrefix: $(internalMirrorRepoPrefix)
-        resourceGroup: $(testResourceGroup)
-        subscription: $(testSubscription)
-        serviceConnection:
-          name: $(internal-mirror-test.serviceConnectionName)
-          id: $(internal-mirror-test.serviceConnection.id)
-          clientId: $(internal-mirror-test.serviceConnection.clientId)
-          tenantId: $(testTenant)
 
       PublicMirrorRegistry:
         server: $(public-mirror.server)
         repoPrefix: $(publicMirrorRepoPrefix)
-        resourceGroup: $(public-mirror.resourceGroup)
-        subscription: $(public-mirror.subscription)
-        serviceConnection:
-          name: $(public-mirror.serviceConnectionName)
-          id: $(public-mirror.serviceConnection.id)
-          tenantId: $(public-mirror.serviceConnection.tenantId)
-          clientId: $(public-mirror.serviceConnection.clientId)
 
       BuildRegistry:
         server: $(acr-staging-test.server)
-        resourceGroup: $(testResourceGroup)
-        subscription: $(testSubscription)
         repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/"
-        serviceConnection:
-          name: $(build-test.serviceConnectionName)
-          id: $(build-test.serviceConnection.id)
-          clientId: $(build-test.serviceConnection.clientId)
-          tenantId: $(testTenant)
+
+      PublishRegistry:
+        server: $(acr-test.server)
+        repoPrefix: "${{ parameters.publishRepoPrefix }}"
+
+      RegistryAuthentication:
+        - server: $(acr-staging-test.server)
+          resourceGroup: $(testResourceGroup)
+          subscription: $(testSubscription)
+          serviceConnection:
+            name: $(build-test.serviceConnectionName)
+            id: $(build-test.serviceConnection.id)
+            clientId: $(build-test.serviceConnection.clientId)
+            tenantId: $(testTenant)
+        - server: $(public-mirror.server)
+          resourceGroup: $(public-mirror.resourceGroup)
+          subscription: $(public-mirror.subscription)
+          serviceConnection:
+            name: $(public-mirror.serviceConnectionName)
+            id: $(public-mirror.serviceConnection.id)
+            tenantId: $(public-mirror.serviceConnection.tenantId)
+            clientId: $(public-mirror.serviceConnection.clientId)
+        - server: $(acr-test.server)
+          resourceGroup: $(testResourceGroup)
+          subscription: $(testSubscription)
+          serviceConnection:
+            name: $(publish-test.serviceConnectionName)
+            id: $(publish-test.serviceConnection.id)
+            clientId: $(publish-test.serviceConnection.clientId)
+            tenantId: $(testTenant)
 
       cleanServiceConnection:
         name: $(clean-test.serviceConnectionName)
@@ -94,14 +103,3 @@ stages:
         id: $(test-nonprod.serviceConnection.id)
         clientId: $(test-nonprod.serviceConnection.clientId)
         tenantId: $(testTenant)
-
-      PublishRegistry:
-        server: $(acr-test.server)
-        resourceGroup: $(testResourceGroup)
-        subscription: $(testSubscription)
-        repoPrefix: "${{ parameters.publishRepoPrefix }}"
-        serviceConnection:
-          name: $(publish-test.serviceConnectionName)
-          id: $(publish-test.serviceConnection.id)
-          clientId: $(publish-test.serviceConnection.clientId)
-          tenantId: $(testTenant)
@@ -53,35 +53,44 @@ stages:
       InternalMirrorRegistry:
         server: $(acr-staging.server)
         repoPrefix: $(internalMirrorRepoPrefix)
-        resourceGroup: $(acr-staging.resourceGroup)
-        subscription: $(acr-staging.subscription)
-        serviceConnection:
-          name: $(internal-mirror.serviceConnectionName)
-          id: $(internal-mirror.serviceConnection.id)
-          clientId: $(internal-mirror.serviceConnection.clientId)
-          tenantId: $(internal-mirror.serviceConnection.tenantId)
 
       PublicMirrorRegistry:
         server: $(public-mirror.server)
         repoPrefix: $(publicMirrorRepoPrefix)
-        resourceGroup: $(public-mirror.resourceGroup)
-        subscription: $(public-mirror.subscription)
-        serviceConnection:
-          name: $(public-mirror.serviceConnectionName)
-          id: $(public-mirror.serviceConnection.id)
-          tenantId: $(public-mirror.serviceConnection.tenantId)
-          clientId: $(public-mirror.serviceConnection.clientId)
 
       BuildRegistry:
         server: $(acr-staging.server)
-        resourceGroup: $(acr-staging.resourceGroup)
-        subscription: $(acr-staging.subscription)
         repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/"
-        serviceConnection:
-          name: $(build.serviceConnectionName)
-          id: $(build.serviceConnection.id)
-          clientId: $(build.serviceConnection.clientId)
-          tenantId: $(build.serviceConnection.tenantId)
+
+      PublishRegistry:
+        server: $(acr.server)
+        repoPrefix: "${{ parameters.publishRepoPrefix }}"
+
+      RegistryAuthentication:
+        - server: $(acr-staging.server)
+          resourceGroup: $(acr-staging.resourceGroup)
+          subscription: $(acr-staging.subscription)
+          serviceConnection:
+            name: $(build.serviceConnectionName)
+            id: $(build.serviceConnection.id)
+            clientId: $(build.serviceConnection.clientId)
+            tenantId: $(build.serviceConnection.tenantId)
+        - server: $(public-mirror.server)
+          resourceGroup: $(public-mirror.resourceGroup)
+          subscription: $(public-mirror.subscription)
+          serviceConnection:
+            name: $(public-mirror.serviceConnectionName)
+            id: $(public-mirror.serviceConnection.id)
+            tenantId: $(public-mirror.serviceConnection.tenantId)
+            clientId: $(public-mirror.serviceConnection.clientId)
+        - server: $(acr.server)
+          resourceGroup: $(acr.resourceGroup)
+          subscription: $(acr.subscription)
+          serviceConnection:
+            name: $(publish.serviceConnectionName)
+            id: $(publish.serviceConnection.id)
+            clientId: $(publish.serviceConnection.clientId)
+            tenantId: $(publish.serviceConnection.tenantId)
 
       cleanServiceConnection:
         name: $(clean.serviceConnectionName)
@@ -94,14 +103,3 @@ stages:
         id: $(test.serviceConnection.id)
         clientId: $(test.serviceConnection.clientId)
         tenantId: $(test.serviceConnection.tenantId)
-
-      PublishRegistry:
-        server: $(acr.server)
-        resourceGroup: $(acr.resourceGroup)
-        subscription: $(acr.subscription)
-        repoPrefix: "${{ parameters.publishRepoPrefix }}"
-        serviceConnection:
-          name: $(publish.serviceConnectionName)
-          id: $(publish.serviceConnection.id)
-          clientId: $(publish.serviceConnection.clientId)
-          tenantId: $(publish.serviceConnection.tenantId)
@@ -3,21 +3,37 @@
 # it is declared in this stage's parameters, even if your pipeline has already
 # been granted access to the service connection. This stage also does not need
 # to complete before the service connection is used.
+#
+# There are two ways to specify service connections:
+# - Pass `serviceConnections` directly (list of {name: string} objects)
+# - Pass `publishConfig` + `registries` to look up auth from RegistryAuthentication
 parameters:
 - name: pool
   type: object
   default:
     name: $(default1ESInternalPoolName)
     image: $(default1ESInternalPoolImage)
     os: linux
-# serviceConnections object shape:
-# - name: string
+
+# Explicit list of service connections to initialize
+# Shape: [{ name: string }]
 - name: serviceConnections
   type: object
   default: []
 
-stages:
+# List of registry servers that need authentication. These will be looked up in
+# publishConfig.RegistryAuthentication.
+# Make sure to provide the publishConfig parameter.
+- name: usesRegistries
+  type: object
+  default: []
+# Look up service connections from publishConfig based on registries
+# The publish configuration containing RegistryAuthentication entries.
+- name: publishConfig
+  type: object
+  default: {}
 
+stages:
 - stage: SetupServiceConnectionsStage
   displayName: Setup service connections
   jobs:
@@ -27,6 +43,8 @@ stages:
     pool: ${{ parameters.pool }}
     steps:
     - checkout: none
+
+    # Direct service connections list
     - ${{ each serviceConnection in parameters.serviceConnections }}:
       - task: AzureCLI@2
         displayName: Setup ${{ serviceConnection.name }}
@@ -36,3 +54,15 @@ stages:
           scriptLocation: inlineScript
           inlineScript: |
             az account show
+
+    # Setup registry service connections
+    - ${{ if gt(length(parameters.usesRegistries), 0) }}:
+      - ${{ each auth in parameters.publishConfig.RegistryAuthentication }}:
+        - ${{ if containsValue(parameters.usesRegistries, auth.server) }}:
+          - task: AzureCLI@2
+            displayName: Setup ${{ auth.serviceConnection.name }}
+            inputs:
+              azureSubscription: ${{ auth.serviceConnection.name }}
+              scriptType: pscore
+              scriptLocation: inlineScript
+              inlineScript: az account show
@@ -3,8 +3,6 @@ parameters:
   type: object
   default:
     server: ""
-    subscription: ""
-    resourceGroup: ""
     repoPrefix: ""
 - name: additionalOptions
   type: string
@@ -29,8 +27,6 @@ steps:
     # error
     args: >-
       copyBaseImages
-      '${{ parameters.acr.subscription }}'
-      '${{ parameters.acr.resourceGroup }}'
       $(dockerHubRegistryCreds)
       $(customCopyBaseImagesArgs)
       --repo-prefix '${{ parameters.acr.repoPrefix }}'

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2887966
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2894609
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner

@@ -39,12 +39,12 @@ stages:
 - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
   - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self
     parameters:
-      serviceConnections:
-      - name: ${{ parameters.publishConfig.InternalMirrorRegistry.serviceConnection.name }}
-      - name: ${{ parameters.publishConfig.BuildRegistry.serviceConnection.name }}
-      - name: ${{ parameters.publishConfig.PublishRegistry.serviceConnection.name }}
-      - ${{ each serviceConnection in parameters.additionalServiceConnections }}:
-        - name: ${{ serviceConnection.name }}
+      publishConfig: ${{ parameters.publishConfig }}
+      usesRegistries:
+        - ${{ parameters.publishConfig.BuildRegistry.server }}
+        - ${{ parameters.publishConfig.PublishRegistry.server }}
+        - ${{ parameters.publishConfig.InternalMirrorRegistry.server }}
+      serviceConnections: ${{ parameters.additionalServiceConnections }}
 
 - template: /eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml@self
   parameters:

@@ -16,15 +16,10 @@ parameters:
 stages:
 - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self
   parameters:
-    serviceConnections:
-    - name: ${{ parameters.publishConfig.InternalMirrorRegistry.serviceConnection.name }}
-    # Workaround for https://github.com/dotnet/docker-tools/issues/1914:
-    # "ACR authentication can fail when using two different service connections for the same ACR"
-    # Both InternalMirrorRegistry and BuildRegistry point to the same ACR, but
-    # have different service connections. BuildRegistry is listed first in the
-    # publish config, so we have to declare it here since it will be used for
-    # ACR authentication.
-    - name: ${{ parameters.publishConfig.BuildRegistry.serviceConnection.name }}
+    publishConfig: ${{ parameters.publishConfig }}
+    usesRegistries:
+      - ${{ parameters.publishConfig.InternalMirrorRegistry.server }}
+      - ${{ parameters.publishConfig.BuildRegistry.server }}
 
 - stage: CheckBaseImages
   displayName: Check Base Images

@@ -21,8 +21,9 @@ parameters:
 stages:
 - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self
   parameters:
-    serviceConnections:
-    - name: ${{ parameters.publishConfig.PublicMirrorRegistry.serviceConnection.name }}
+    publishConfig: ${{ parameters.publishConfig }}
+    usesRegistries:
+      - ${{ parameters.publishConfig.PublicMirrorRegistry.server }}
 
 - stage: MirrorBaseImages
   displayName: Mirror Base Images