From e303fe53d23763a70a56ccbb25a066a71ffaab5f Mon Sep 17 00:00:00 2001
From: "Michael Mainer (from Dev Box)"
 <8527305+MIchaelMainer@users.noreply.github.com>
Date: Wed, 12 Nov 2025 15:07:07 -0800
Subject: [PATCH 1/3] cd: update ESRP release task owners

---
 .azure-pipelines/ci-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml
index e6c637c0924..75c3c5ca8bf 100644
--- a/.azure-pipelines/ci-build.yml
+++ b/.azure-pipelines/ci-build.yml
@@ -232,7 +232,7 @@ extends:
                         contentsource: "Folder"
                         folderlocation: "$(Pipeline.Workspace)"
                         waitforreleasecompletion: true
-                        owners: vibiret@microsoft.com
+                        owners: mmainer@microsoft.com,gavinbarron@microsoft.com
                         approvers: mmainer@microsoft.com
                         serviceendpointurl: "https://api.esrp.microsoft.com"
                         mainpublisher: "ESRPRELPACMAN"

From fd4e048657cb84436c880673d727ac940edaeb12 Mon Sep 17 00:00:00 2001
From: "Michael Mainer (from Dev Box)"
 <8527305+MIchaelMainer@users.noreply.github.com>
Date: Wed, 12 Nov 2025 15:10:30 -0800
Subject: [PATCH 2/3] cd: only run automatically on tagged builds

---
 .azure-pipelines/ci-build.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml
index 75c3c5ca8bf..94727ddbd22 100644
--- a/.azure-pipelines/ci-build.yml
+++ b/.azure-pipelines/ci-build.yml
@@ -9,9 +9,6 @@ trigger:
   tags:
     include:
       - "v*"
-  branches:
-    include:
-      - main
 
 parameters:
   - name: previewBranch

From 9a5d709dd3501dc781b76d69173c464d998dae2a Mon Sep 17 00:00:00 2001
From: "Michael Mainer (from Dev Box)"
 <8527305+MIchaelMainer@users.noreply.github.com>
Date: Wed, 12 Nov 2025 15:14:44 -0800
Subject: [PATCH 3/3] cd: add explicit permissions

---
 .github/workflows/release-please-gha.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-please-gha.yml b/.github/workflows/release-please-gha.yml
index 28f1d59d189..02305816760 100644
--- a/.github/workflows/release-please-gha.yml
+++ b/.github/workflows/release-please-gha.yml
@@ -9,7 +9,9 @@
 # variables and secrets, and then runs the release-please-action to manage versioning and changelogs.
 
 name: Release Please
-
+permissions:
+  contents: read
+  pull-requests: write
 on:
   push:
     branches: