From 08d9db6de04a9540231463911a77d766c379bcc7 Mon Sep 17 00:00:00 2001
From: "dotnet-maestro[bot]" <dotnet-maestro[bot]@users.noreply.github.com>
Date: Tue, 18 Nov 2025 02:05:51 +0000
Subject: [PATCH 1/4] Update dependencies from https://github.com/dotnet/dotnet
 build 291132 Updated Dependencies: Microsoft.DotNet.Arcade.Sdk (Version
 11.0.0-beta.25563.103 -> 11.0.0-beta.25567.106)

---
 eng/Version.Details.props | 2 +-
 eng/Version.Details.xml   | 6 +++---
 global.json               | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/eng/Version.Details.props b/eng/Version.Details.props
index 86378dff80..213f1262e7 100644
--- a/eng/Version.Details.props
+++ b/eng/Version.Details.props
@@ -6,7 +6,7 @@ This file should be imported by eng/Versions.props
 <Project>
   <PropertyGroup>
     <!-- dotnet/dotnet dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25563.103</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25567.106</MicrosoftDotNetArcadeSdkPackageVersion>
   </PropertyGroup>
   <!--Property group for alternate package version names-->
   <PropertyGroup>
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 87bb6fda9e..69b5090844 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
-  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="679ec822750ef4a645af43de164852f3c7ed9fdc" BarId="290847" />
+  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="feff871cec763e9a9f8e9ace212f0fd6041d479f" BarId="291132" />
   <ProductDependencies>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25563.103">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25567.106">
       <Uri>https://github.com/dotnet/dotnet</Uri>
-      <Sha>679ec822750ef4a645af43de164852f3c7ed9fdc</Sha>
+      <Sha>feff871cec763e9a9f8e9ace212f0fd6041d479f</Sha>
     </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/global.json b/global.json
index 2c2862cd09..333d6b6fc9 100644
--- a/global.json
+++ b/global.json
@@ -13,6 +13,6 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25563.103"
+    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25567.106"
   }
 }

From fa66b0cff02abe30f3767cd03d21b45cc6079fc0 Mon Sep 17 00:00:00 2001
From: "dotnet-maestro[bot]" <dotnet-maestro[bot]@users.noreply.github.com>
Date: Wed, 19 Nov 2025 02:08:25 +0000
Subject: [PATCH 2/4] Update dependencies from https://github.com/dotnet/dotnet
 build 291345 Updated Dependencies: Microsoft.DotNet.Arcade.Sdk (Version
 11.0.0-beta.25567.106 -> 11.0.0-beta.25568.110)

---
 eng/Version.Details.props | 2 +-
 eng/Version.Details.xml   | 6 +++---
 global.json               | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/eng/Version.Details.props b/eng/Version.Details.props
index 213f1262e7..d18e0dfe7a 100644
--- a/eng/Version.Details.props
+++ b/eng/Version.Details.props
@@ -6,7 +6,7 @@ This file should be imported by eng/Versions.props
 <Project>
   <PropertyGroup>
     <!-- dotnet/dotnet dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25567.106</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25568.110</MicrosoftDotNetArcadeSdkPackageVersion>
   </PropertyGroup>
   <!--Property group for alternate package version names-->
   <PropertyGroup>
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 69b5090844..d3f9bcce57 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
-  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="feff871cec763e9a9f8e9ace212f0fd6041d479f" BarId="291132" />
+  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="9447c7095aa247775e2a4b1cf6bd29c3dd7a32fb" BarId="291345" />
   <ProductDependencies>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25567.106">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25568.110">
       <Uri>https://github.com/dotnet/dotnet</Uri>
-      <Sha>feff871cec763e9a9f8e9ace212f0fd6041d479f</Sha>
+      <Sha>9447c7095aa247775e2a4b1cf6bd29c3dd7a32fb</Sha>
     </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/global.json b/global.json
index 333d6b6fc9..d41c5c3830 100644
--- a/global.json
+++ b/global.json
@@ -13,6 +13,6 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25567.106"
+    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25568.110"
   }
 }

From 74d48e54edd00308942e955e2cfcffdc0f4d1e0d Mon Sep 17 00:00:00 2001
From: "dotnet-maestro[bot]" <dotnet-maestro[bot]@users.noreply.github.com>
Date: Thu, 20 Nov 2025 02:11:29 +0000
Subject: [PATCH 3/4] Update dependencies from https://github.com/dotnet/dotnet
 build 291548 Updated Dependencies: Microsoft.DotNet.Arcade.Sdk (Version
 11.0.0-beta.25568.110 -> 11.0.0-beta.25569.110)

---
 eng/Version.Details.props                     |  2 +-
 eng/Version.Details.xml                       |  6 +-
 eng/common/core-templates/job/job.yml         |  4 --
 .../job/publish-build-assets.yml              |  2 +-
 .../steps/component-governance.yml            | 16 -----
 .../core-templates/steps/generate-sbom.yml    | 60 ++++---------------
 .../core-templates/steps/source-build.yml     |  2 +-
 eng/common/generate-sbom-prep.ps1             | 29 ---------
 eng/common/generate-sbom-prep.sh              | 39 ------------
 eng/common/template-guidance.md               |  2 -
 eng/common/templates-official/job/job.yml     | 30 +++-------
 .../steps/component-governance.yml            |  7 ---
 .../steps/publish-pipeline-artifacts.yml      |  2 +
 eng/common/templates/job/job.yml              | 31 ++++------
 .../templates/steps/component-governance.yml  |  7 ---
 global.json                                   |  2 +-
 16 files changed, 38 insertions(+), 203 deletions(-)
 delete mode 100644 eng/common/core-templates/steps/component-governance.yml
 delete mode 100644 eng/common/generate-sbom-prep.ps1
 delete mode 100755 eng/common/generate-sbom-prep.sh
 delete mode 100644 eng/common/templates-official/steps/component-governance.yml
 delete mode 100644 eng/common/templates/steps/component-governance.yml

diff --git a/eng/Version.Details.props b/eng/Version.Details.props
index d18e0dfe7a..1d110f99fa 100644
--- a/eng/Version.Details.props
+++ b/eng/Version.Details.props
@@ -6,7 +6,7 @@ This file should be imported by eng/Versions.props
 <Project>
   <PropertyGroup>
     <!-- dotnet/dotnet dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25568.110</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25569.110</MicrosoftDotNetArcadeSdkPackageVersion>
   </PropertyGroup>
   <!--Property group for alternate package version names-->
   <PropertyGroup>
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index d3f9bcce57..571d754e2a 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
-  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="9447c7095aa247775e2a4b1cf6bd29c3dd7a32fb" BarId="291345" />
+  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="ea77dd1498eeaae360c4309d07ccd68c8936fe48" BarId="291548" />
   <ProductDependencies>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25568.110">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25569.110">
       <Uri>https://github.com/dotnet/dotnet</Uri>
-      <Sha>9447c7095aa247775e2a4b1cf6bd29c3dd7a32fb</Sha>
+      <Sha>ea77dd1498eeaae360c4309d07ccd68c8936fe48</Sha>
     </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/eng/common/core-templates/job/job.yml b/eng/common/core-templates/job/job.yml
index cb4ccc023a..3921b407bc 100644
--- a/eng/common/core-templates/job/job.yml
+++ b/eng/common/core-templates/job/job.yml
@@ -31,7 +31,6 @@ parameters:
   testRunTitle: ''
   testResultsFormat: ''
   name: ''
-  componentGovernanceSteps: []
   preSteps: []
   artifactPublishSteps: []
   runAsPublic: false
@@ -150,9 +149,6 @@ jobs:
   - ${{ each step in parameters.steps }}:
     - ${{ step }}
 
-  - ${{ each step in parameters.componentGovernanceSteps }}:
-    - ${{ step }}
-
   - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - template: /eng/common/core-templates/steps/cleanup-microbuild.yml
       parameters:
diff --git a/eng/common/core-templates/job/publish-build-assets.yml b/eng/common/core-templates/job/publish-build-assets.yml
index 4a417e003c..a23657cd71 100644
--- a/eng/common/core-templates/job/publish-build-assets.yml
+++ b/eng/common/core-templates/job/publish-build-assets.yml
@@ -172,7 +172,7 @@ jobs:
             artifactName: AssetManifests
             displayName: 'Publish Merged Manifest'
             retryCountOnTaskFailure: 10 # for any logs being locked
-            sbomEnabled: false # we don't need SBOM for logs
+            isProduction: false
 
     - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
       parameters:
diff --git a/eng/common/core-templates/steps/component-governance.yml b/eng/common/core-templates/steps/component-governance.yml
deleted file mode 100644
index cf0649aa95..0000000000
--- a/eng/common/core-templates/steps/component-governance.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-parameters:
-  disableComponentGovernance: false
-  componentGovernanceIgnoreDirectories: ''
-  is1ESPipeline: false
-  displayName: 'Component Detection'
-
-steps:
-- ${{ if eq(parameters.disableComponentGovernance, 'true') }}:
-  - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
-    displayName: Set skipComponentGovernanceDetection variable
-- ${{ if ne(parameters.disableComponentGovernance, 'true') }}:
-  - task: ComponentGovernanceComponentDetection@0
-    continueOnError: true
-    displayName: ${{ parameters.displayName }}
-    inputs:
-      ignoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
diff --git a/eng/common/core-templates/steps/generate-sbom.yml b/eng/common/core-templates/steps/generate-sbom.yml
index 003f7eae0f..aad0a8aeda 100644
--- a/eng/common/core-templates/steps/generate-sbom.yml
+++ b/eng/common/core-templates/steps/generate-sbom.yml
@@ -1,54 +1,14 @@
-# BuildDropPath - The root folder of the drop directory for which the manifest file will be generated.
-# PackageName - The name of the package this SBOM represents.
-# PackageVersion - The version of the package this SBOM represents. 
-# ManifestDirPath - The path of the directory where the generated manifest files will be placed
-# IgnoreDirectories - Directories to ignore for SBOM generation. This will be passed through to the CG component detector.
-
 parameters:
-  PackageVersion: 11.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
-  PackageName: '.NET'
-  ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
-  IgnoreDirectories: ''
-  sbomContinueOnError: true
-  is1ESPipeline: false
-  # disable publishArtifacts if some other step is publishing the artifacts (like job.yml).
-  publishArtifacts: true
+  PackageVersion: unused
+  BuildDropPath: unused
+  PackageName: unused
+  ManifestDirPath: unused
+  IgnoreDirectories: unused
+  sbomContinueOnError: unused
+  is1ESPipeline: unused
+  publishArtifacts: unused
 
 steps:
-- task: PowerShell@2 
-  displayName: Prep for SBOM generation in (Non-linux)
-  condition: or(eq(variables['Agent.Os'], 'Windows_NT'), eq(variables['Agent.Os'], 'Darwin'))
-  inputs: 
-    filePath: ./eng/common/generate-sbom-prep.ps1
-    arguments: ${{parameters.manifestDirPath}}
-
-# Chmodding is a workaround for https://github.com/dotnet/arcade/issues/8461
 - script: |
-    chmod +x ./eng/common/generate-sbom-prep.sh
-    ./eng/common/generate-sbom-prep.sh ${{parameters.manifestDirPath}}
-  displayName: Prep for SBOM generation in (Linux)
-  condition: eq(variables['Agent.Os'], 'Linux')
-  continueOnError: ${{ parameters.sbomContinueOnError }}
-
-- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-  displayName: 'Generate SBOM manifest'
-  continueOnError: ${{ parameters.sbomContinueOnError }}
-  inputs:
-      PackageName: ${{ parameters.packageName }}
-      BuildDropPath: ${{ parameters.buildDropPath }}
-      PackageVersion: ${{ parameters.packageVersion }}
-      ManifestDirPath: ${{ parameters.manifestDirPath }}/$(ARTIFACT_NAME)
-      ${{ if ne(parameters.IgnoreDirectories, '') }}:
-        AdditionalComponentDetectorArgs: '--IgnoreDirectories ${{ parameters.IgnoreDirectories }}'
-
-- ${{ if eq(parameters.publishArtifacts, 'true')}}:
-  - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
-    parameters:
-      is1ESPipeline: ${{ parameters.is1ESPipeline }}
-      args:
-        displayName: Publish SBOM manifest
-        continueOnError: ${{parameters.sbomContinueOnError}}
-        targetPath: '${{ parameters.manifestDirPath }}'
-        artifactName: $(ARTIFACT_NAME)
-
+    echo "##vso[task.logissue type=warning]Including generate-sbom.yml is deprecated, SBOM generation is handled 1ES PT now. Remove this include."
+  displayName: Issue generate-sbom.yml deprecation warning
diff --git a/eng/common/core-templates/steps/source-build.yml b/eng/common/core-templates/steps/source-build.yml
index acf16ed349..40b6c4c320 100644
--- a/eng/common/core-templates/steps/source-build.yml
+++ b/eng/common/core-templates/steps/source-build.yml
@@ -62,4 +62,4 @@ steps:
       artifactName: BuildLogs_SourceBuild_${{ parameters.platform.name }}_Attempt$(System.JobAttempt)
       continueOnError: true
       condition: succeededOrFailed()
-      sbomEnabled: false  # we don't need SBOM for logs
+      isProduction: false
diff --git a/eng/common/generate-sbom-prep.ps1 b/eng/common/generate-sbom-prep.ps1
deleted file mode 100644
index a0c7d792a7..0000000000
--- a/eng/common/generate-sbom-prep.ps1
+++ /dev/null
@@ -1,29 +0,0 @@
-Param(
-    [Parameter(Mandatory=$true)][string] $ManifestDirPath    # Manifest directory where sbom will be placed
-)
-
-. $PSScriptRoot\pipeline-logging-functions.ps1
-
-# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
-# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
-$ArtifactName = "${env:SYSTEM_STAGENAME}_${env:AGENT_JOBNAME}_SBOM"
-$SafeArtifactName = $ArtifactName -replace '["/:<>\\|?@*"() ]', '_'
-$SbomGenerationDir = Join-Path $ManifestDirPath $SafeArtifactName
-
-Write-Host "Artifact name before : $ArtifactName"
-Write-Host "Artifact name after : $SafeArtifactName"
-
-Write-Host "Creating dir $ManifestDirPath"
-
-# create directory for sbom manifest to be placed
-if (!(Test-Path -path $SbomGenerationDir))
-{
-  New-Item -ItemType Directory -path $SbomGenerationDir
-  Write-Host "Successfully created directory $SbomGenerationDir"
-}
-else{
-  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
-}
-
-Write-Host "Updating artifact name"
-Write-Host "##vso[task.setvariable variable=ARTIFACT_NAME]$SafeArtifactName"
diff --git a/eng/common/generate-sbom-prep.sh b/eng/common/generate-sbom-prep.sh
deleted file mode 100755
index b8ecca72bb..0000000000
--- a/eng/common/generate-sbom-prep.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-
-source="${BASH_SOURCE[0]}"
-
-# resolve $SOURCE until the file is no longer a symlink
-while [[ -h $source ]]; do
-  scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
-  source="$(readlink "$source")"
-
-  # if $source was a relative symlink, we need to resolve it relative to the path where the
-  # symlink file was located
-  [[ $source != /* ]] && source="$scriptroot/$source"
-done
-scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
-. $scriptroot/pipeline-logging-functions.sh
-
-
-# replace all special characters with _, some builds use special characters like : in Agent.Jobname, that is not a permissible name while uploading artifacts.
-artifact_name=$SYSTEM_STAGENAME"_"$AGENT_JOBNAME"_SBOM"
-safe_artifact_name="${artifact_name//["/:<>\\|?@*$" ]/_}"
-manifest_dir=$1
-
-# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
-# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
-sbom_generation_dir="$manifest_dir/$safe_artifact_name"
-
-if [ ! -d "$sbom_generation_dir" ] ; then
-  mkdir -p "$sbom_generation_dir"
-  echo "Sbom directory created." $sbom_generation_dir
-else
-  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
-fi
-
-echo "Artifact name before : "$artifact_name
-echo "Artifact name after : "$safe_artifact_name
-export ARTIFACT_NAME=$safe_artifact_name
-echo "##vso[task.setvariable variable=ARTIFACT_NAME]$safe_artifact_name"
-
-exit 0
diff --git a/eng/common/template-guidance.md b/eng/common/template-guidance.md
index 4bf4cf41bd..e2b07a865f 100644
--- a/eng/common/template-guidance.md
+++ b/eng/common/template-guidance.md
@@ -82,7 +82,6 @@ eng\common\
             publish-build-artifacts.yml      (logic)
             publish-pipeline-artifacts.yml   (logic)
             component-governance.yml         (shim)
-            generate-sbom.yml                (shim)
             publish-logs.yml                 (shim)
             retain-build.yml                 (shim)
             send-to-helix.yml                (shim)
@@ -107,7 +106,6 @@ eng\common\
             setup-maestro-vars.yml           (logic)
         steps\
             component-governance.yml         (logic)
-            generate-sbom.yml                (logic)
             publish-build-artifacts.yml      (redirect)
             publish-logs.yml                 (logic)
             publish-pipeline-artifacts.yml   (redirect)
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index 92a0664f56..fed3caaea7 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -1,24 +1,15 @@
 parameters:
-# Sbom related params
-  enableSbom: true
   runAsPublic: false
-  PackageVersion: 9.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
+# Sbom related params, unused now and can eventually be removed
+  enableSbom: unused
+  PackageVersion: unused
+  BuildDropPath: unused
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
   parameters:
     is1ESPipeline: true
 
-    componentGovernanceSteps:
-    - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
-      - template: /eng/common/templates/steps/generate-sbom.yml
-        parameters:
-          PackageVersion: ${{ parameters.packageVersion }}
-          BuildDropPath: ${{ parameters.buildDropPath }}
-          ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
-          publishArtifacts: false
-
     # publish artifacts
     # for 1ES managed templates, use the templateContext.output to handle multiple outputs.
     templateContext:
@@ -41,7 +32,7 @@ jobs:
             continueOnError: true
             condition: always()
             retryCountOnTaskFailure: 10 # for any logs being locked
-            sbomEnabled: false  # we don't need SBOM for logs
+            isProduction: false
 
       - ${{ if eq(parameters.enablePublishBuildArtifacts, true) }}:
         - output: buildArtifacts
@@ -51,7 +42,7 @@ jobs:
           ArtifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
           continueOnError: true
           condition: always()
-          sbomEnabled: false  # we don't need SBOM for logs
+          #isProduction: false
 
       - ${{ if eq(parameters.enableBuildRetry, 'true') }}:
         - output: pipelineArtifact
@@ -59,14 +50,7 @@ jobs:
           artifactName: 'BuildConfiguration'
           displayName: 'Publish build retry configuration'
           continueOnError: true
-          sbomEnabled: false  # we don't need SBOM for BuildConfiguration
-
-      - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
-        - output: pipelineArtifact
-          displayName: Publish SBOM manifest
-          continueOnError: true
-          targetPath: $(Build.ArtifactStagingDirectory)/sbom
-          artifactName: $(ARTIFACT_NAME)
+          isProduction: false
 
       # add any outputs provided via root yaml
       - ${{ if ne(parameters.templateContext.outputs, '') }}:
diff --git a/eng/common/templates-official/steps/component-governance.yml b/eng/common/templates-official/steps/component-governance.yml
deleted file mode 100644
index 30bb3985ca..0000000000
--- a/eng/common/templates-official/steps/component-governance.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-steps:
-- template: /eng/common/core-templates/steps/component-governance.yml
-  parameters:
-    is1ESPipeline: true
-
-    ${{ each parameter in parameters }}:
-      ${{ parameter.key }}: ${{ parameter.value }}
diff --git a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
index 172f9f0fdc..6a652ae1cf 100644
--- a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
+++ b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
@@ -26,3 +26,5 @@ steps:
       properties: ${{ parameters.args.properties }}
     ${{ if parameters.args.sbomEnabled }}:
       sbomEnabled: ${{ parameters.args.sbomEnabled }}
+    ${{ if parameters.args.isProduction }}:
+      isProduction: ${{ parameters.args.isProduction }}
diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml
index 238fa0818f..d1b2352798 100644
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@@ -1,12 +1,12 @@
 parameters: 
   enablePublishBuildArtifacts: false
-  disableComponentGovernance: ''
-  componentGovernanceIgnoreDirectories: ''
-# Sbom related params
-  enableSbom: true
   runAsPublic: false
-  PackageVersion: 9.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
+# CG related params, unused now and can eventually be removed
+  disableComponentGovernance: unused
+# Sbom related params, unused now and can eventually be removed
+  enableSbom: unused
+  PackageVersion: unused
+  BuildDropPath: unused
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
@@ -21,17 +21,10 @@ jobs:
     - ${{ each step in parameters.steps }}:
       - ${{ step }}
 
-    componentGovernanceSteps:
-    - template: /eng/common/templates/steps/component-governance.yml
-      parameters:
-        ${{ if eq(parameters.disableComponentGovernance, '') }}:
-          ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.runAsPublic, 'false'), or(startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/dotnet/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/microsoft/'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))) }}:
-            disableComponentGovernance: false
-          ${{ else }}:
-            disableComponentGovernance: true
-        ${{ else }}:
-          disableComponentGovernance: ${{ parameters.disableComponentGovernance }}
-        componentGovernanceIgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
+    # we don't run CG in public
+    - ${{ if eq(variables['System.TeamProject'], 'public') }}:
+      - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
+        displayName: Set skipComponentGovernanceDetection variable
 
     artifactPublishSteps:
     - ${{ if ne(parameters.artifacts.publish, '') }}:
@@ -58,7 +51,7 @@ jobs:
               continueOnError: true
               condition: always()
               retryCountOnTaskFailure: 10 # for any logs being locked
-              sbomEnabled: false  # we don't need SBOM for logs
+              isProduction: false
 
     - ${{ if ne(parameters.enablePublishBuildArtifacts, 'false') }}:
       - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
@@ -81,4 +74,4 @@ jobs:
             artifactName: 'BuildConfiguration'
             displayName: 'Publish build retry configuration'
             continueOnError: true
-            sbomEnabled: false  # we don't need SBOM for BuildConfiguration
+            isProduction: false
diff --git a/eng/common/templates/steps/component-governance.yml b/eng/common/templates/steps/component-governance.yml
deleted file mode 100644
index c12a5f8d21..0000000000
--- a/eng/common/templates/steps/component-governance.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-steps:
-- template: /eng/common/core-templates/steps/component-governance.yml
-  parameters:
-    is1ESPipeline: false
-
-    ${{ each parameter in parameters }}:
-      ${{ parameter.key }}: ${{ parameter.value }}
diff --git a/global.json b/global.json
index d41c5c3830..c621d71335 100644
--- a/global.json
+++ b/global.json
@@ -13,6 +13,6 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25568.110"
+    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25569.110"
   }
 }

From e543d8ba01d9a110a7719bca025947f5a7511f4c Mon Sep 17 00:00:00 2001
From: "dotnet-maestro[bot]" <dotnet-maestro[bot]@users.noreply.github.com>
Date: Fri, 21 Nov 2025 02:09:02 +0000
Subject: [PATCH 4/4] Update dependencies from https://github.com/dotnet/dotnet
 build 291616 Updated Dependencies: Microsoft.DotNet.Arcade.Sdk (Version
 11.0.0-beta.25569.110 -> 11.0.0-beta.25570.101)

---
 eng/Version.Details.props                     |  2 +-
 eng/Version.Details.xml                       |  6 +-
 eng/common/core-templates/job/job.yml         |  4 ++
 .../job/publish-build-assets.yml              |  7 ++-
 .../core-templates/job/source-build.yml       |  2 +-
 .../core-templates/post-build/post-build.yml  |  3 +-
 .../steps/component-governance.yml            | 16 +++++
 .../core-templates/steps/generate-sbom.yml    | 60 +++++++++++++++----
 .../core-templates/steps/source-build.yml     |  2 +-
 eng/common/generate-sbom-prep.ps1             | 29 +++++++++
 eng/common/generate-sbom-prep.sh              | 39 ++++++++++++
 eng/common/template-guidance.md               |  2 +
 eng/common/templates-official/job/job.yml     | 30 +++++++---
 .../steps/component-governance.yml            |  7 +++
 .../steps/publish-pipeline-artifacts.yml      |  2 -
 eng/common/templates/job/job.yml              | 31 ++++++----
 .../templates/steps/component-governance.yml  |  7 +++
 global.json                                   |  2 +-
 18 files changed, 209 insertions(+), 42 deletions(-)
 create mode 100644 eng/common/core-templates/steps/component-governance.yml
 create mode 100644 eng/common/generate-sbom-prep.ps1
 create mode 100644 eng/common/generate-sbom-prep.sh
 create mode 100644 eng/common/templates-official/steps/component-governance.yml
 create mode 100644 eng/common/templates/steps/component-governance.yml

diff --git a/eng/Version.Details.props b/eng/Version.Details.props
index 1d110f99fa..94e02d1d7f 100644
--- a/eng/Version.Details.props
+++ b/eng/Version.Details.props
@@ -6,7 +6,7 @@ This file should be imported by eng/Versions.props
 <Project>
   <PropertyGroup>
     <!-- dotnet/dotnet dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25569.110</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25570.101</MicrosoftDotNetArcadeSdkPackageVersion>
   </PropertyGroup>
   <!--Property group for alternate package version names-->
   <PropertyGroup>
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 571d754e2a..7ceea5ebcf 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
-  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="ea77dd1498eeaae360c4309d07ccd68c8936fe48" BarId="291548" />
+  <Source Uri="https://github.com/dotnet/dotnet" Mapping="command-line-api" Sha="e9a2ab63ad60de1afff34ddc3f09257093ea034a" BarId="291616" />
   <ProductDependencies>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25569.110">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25570.101">
       <Uri>https://github.com/dotnet/dotnet</Uri>
-      <Sha>ea77dd1498eeaae360c4309d07ccd68c8936fe48</Sha>
+      <Sha>e9a2ab63ad60de1afff34ddc3f09257093ea034a</Sha>
     </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/eng/common/core-templates/job/job.yml b/eng/common/core-templates/job/job.yml
index 3921b407bc..cb4ccc023a 100644
--- a/eng/common/core-templates/job/job.yml
+++ b/eng/common/core-templates/job/job.yml
@@ -31,6 +31,7 @@ parameters:
   testRunTitle: ''
   testResultsFormat: ''
   name: ''
+  componentGovernanceSteps: []
   preSteps: []
   artifactPublishSteps: []
   runAsPublic: false
@@ -149,6 +150,9 @@ jobs:
   - ${{ each step in parameters.steps }}:
     - ${{ step }}
 
+  - ${{ each step in parameters.componentGovernanceSteps }}:
+    - ${{ step }}
+
   - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - template: /eng/common/core-templates/steps/cleanup-microbuild.yml
       parameters:
diff --git a/eng/common/core-templates/job/publish-build-assets.yml b/eng/common/core-templates/job/publish-build-assets.yml
index a23657cd71..8b5c635fe8 100644
--- a/eng/common/core-templates/job/publish-build-assets.yml
+++ b/eng/common/core-templates/job/publish-build-assets.yml
@@ -122,8 +122,9 @@ jobs:
 
     # Populate internal runtime variables.
     - template: /eng/common/templates/steps/enable-internal-sources.yml
-      parameters:
-        legacyCredential: $(dn-bot-dnceng-artifact-feeds-rw)
+      ${{ if eq(variables['System.TeamProject'], 'DevDiv') }}:
+        parameters:
+            legacyCredential: $(dn-bot-dnceng-artifact-feeds-rw)
 
     - template: /eng/common/templates/steps/enable-internal-runtimes.yml
 
@@ -172,7 +173,7 @@ jobs:
             artifactName: AssetManifests
             displayName: 'Publish Merged Manifest'
             retryCountOnTaskFailure: 10 # for any logs being locked
-            isProduction: false
+            sbomEnabled: false # we don't need SBOM for logs
 
     - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
       parameters:
diff --git a/eng/common/core-templates/job/source-build.yml b/eng/common/core-templates/job/source-build.yml
index d805d5faeb..9f6b3ee9e4 100644
--- a/eng/common/core-templates/job/source-build.yml
+++ b/eng/common/core-templates/job/source-build.yml
@@ -60,7 +60,7 @@ jobs:
       pool:
         ${{ if eq(variables['System.TeamProject'], 'public') }}:
           name: $[replace(replace(eq(contains(coalesce(variables['System.PullRequest.TargetBranch'], variables['Build.SourceBranch'], 'refs/heads/main'), 'release'), 'true'), True, 'NetCore-Svc-Public' ), False, 'NetCore-Public')]
-          demands: ImageOverride -equals build.ubuntu.2004.amd64
+          demands: ImageOverride -equals build.ubuntu.2204.amd64
         ${{ if eq(variables['System.TeamProject'], 'internal') }}:
           name: $[replace(replace(eq(contains(coalesce(variables['System.PullRequest.TargetBranch'], variables['Build.SourceBranch'], 'refs/heads/main'), 'release'), 'true'), True, 'NetCore1ESPool-Svc-Internal'), False, 'NetCore1ESPool-Internal')]
           image: 1es-mariner-2
diff --git a/eng/common/core-templates/post-build/post-build.yml b/eng/common/core-templates/post-build/post-build.yml
index 27763a825b..6f0929c039 100644
--- a/eng/common/core-templates/post-build/post-build.yml
+++ b/eng/common/core-templates/post-build/post-build.yml
@@ -305,8 +305,9 @@ stages:
           PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}
           is1ESPipeline: ${{ parameters.is1ESPipeline }}
 
-      - task: NuGetAuthenticate@1 # Populate internal runtime variables.
+      - task: NuGetAuthenticate@1
 
+      # Populate internal runtime variables.
       - template: /eng/common/templates/steps/enable-internal-sources.yml
         parameters:
           legacyCredential: $(dn-bot-dnceng-artifact-feeds-rw)
diff --git a/eng/common/core-templates/steps/component-governance.yml b/eng/common/core-templates/steps/component-governance.yml
new file mode 100644
index 0000000000..cf0649aa95
--- /dev/null
+++ b/eng/common/core-templates/steps/component-governance.yml
@@ -0,0 +1,16 @@
+parameters:
+  disableComponentGovernance: false
+  componentGovernanceIgnoreDirectories: ''
+  is1ESPipeline: false
+  displayName: 'Component Detection'
+
+steps:
+- ${{ if eq(parameters.disableComponentGovernance, 'true') }}:
+  - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
+    displayName: Set skipComponentGovernanceDetection variable
+- ${{ if ne(parameters.disableComponentGovernance, 'true') }}:
+  - task: ComponentGovernanceComponentDetection@0
+    continueOnError: true
+    displayName: ${{ parameters.displayName }}
+    inputs:
+      ignoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
diff --git a/eng/common/core-templates/steps/generate-sbom.yml b/eng/common/core-templates/steps/generate-sbom.yml
index aad0a8aeda..003f7eae0f 100644
--- a/eng/common/core-templates/steps/generate-sbom.yml
+++ b/eng/common/core-templates/steps/generate-sbom.yml
@@ -1,14 +1,54 @@
+# BuildDropPath - The root folder of the drop directory for which the manifest file will be generated.
+# PackageName - The name of the package this SBOM represents.
+# PackageVersion - The version of the package this SBOM represents. 
+# ManifestDirPath - The path of the directory where the generated manifest files will be placed
+# IgnoreDirectories - Directories to ignore for SBOM generation. This will be passed through to the CG component detector.
+
 parameters:
-  PackageVersion: unused
-  BuildDropPath: unused
-  PackageName: unused
-  ManifestDirPath: unused
-  IgnoreDirectories: unused
-  sbomContinueOnError: unused
-  is1ESPipeline: unused
-  publishArtifacts: unused
+  PackageVersion: 11.0.0
+  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
+  PackageName: '.NET'
+  ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
+  IgnoreDirectories: ''
+  sbomContinueOnError: true
+  is1ESPipeline: false
+  # disable publishArtifacts if some other step is publishing the artifacts (like job.yml).
+  publishArtifacts: true
 
 steps:
+- task: PowerShell@2 
+  displayName: Prep for SBOM generation in (Non-linux)
+  condition: or(eq(variables['Agent.Os'], 'Windows_NT'), eq(variables['Agent.Os'], 'Darwin'))
+  inputs: 
+    filePath: ./eng/common/generate-sbom-prep.ps1
+    arguments: ${{parameters.manifestDirPath}}
+
+# Chmodding is a workaround for https://github.com/dotnet/arcade/issues/8461
 - script: |
-    echo "##vso[task.logissue type=warning]Including generate-sbom.yml is deprecated, SBOM generation is handled 1ES PT now. Remove this include."
-  displayName: Issue generate-sbom.yml deprecation warning
+    chmod +x ./eng/common/generate-sbom-prep.sh
+    ./eng/common/generate-sbom-prep.sh ${{parameters.manifestDirPath}}
+  displayName: Prep for SBOM generation in (Linux)
+  condition: eq(variables['Agent.Os'], 'Linux')
+  continueOnError: ${{ parameters.sbomContinueOnError }}
+
+- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+  displayName: 'Generate SBOM manifest'
+  continueOnError: ${{ parameters.sbomContinueOnError }}
+  inputs:
+      PackageName: ${{ parameters.packageName }}
+      BuildDropPath: ${{ parameters.buildDropPath }}
+      PackageVersion: ${{ parameters.packageVersion }}
+      ManifestDirPath: ${{ parameters.manifestDirPath }}/$(ARTIFACT_NAME)
+      ${{ if ne(parameters.IgnoreDirectories, '') }}:
+        AdditionalComponentDetectorArgs: '--IgnoreDirectories ${{ parameters.IgnoreDirectories }}'
+
+- ${{ if eq(parameters.publishArtifacts, 'true')}}:
+  - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
+    parameters:
+      is1ESPipeline: ${{ parameters.is1ESPipeline }}
+      args:
+        displayName: Publish SBOM manifest
+        continueOnError: ${{parameters.sbomContinueOnError}}
+        targetPath: '${{ parameters.manifestDirPath }}'
+        artifactName: $(ARTIFACT_NAME)
+
diff --git a/eng/common/core-templates/steps/source-build.yml b/eng/common/core-templates/steps/source-build.yml
index 40b6c4c320..acf16ed349 100644
--- a/eng/common/core-templates/steps/source-build.yml
+++ b/eng/common/core-templates/steps/source-build.yml
@@ -62,4 +62,4 @@ steps:
       artifactName: BuildLogs_SourceBuild_${{ parameters.platform.name }}_Attempt$(System.JobAttempt)
       continueOnError: true
       condition: succeededOrFailed()
-      isProduction: false
+      sbomEnabled: false  # we don't need SBOM for logs
diff --git a/eng/common/generate-sbom-prep.ps1 b/eng/common/generate-sbom-prep.ps1
new file mode 100644
index 0000000000..a0c7d792a7
--- /dev/null
+++ b/eng/common/generate-sbom-prep.ps1
@@ -0,0 +1,29 @@
+Param(
+    [Parameter(Mandatory=$true)][string] $ManifestDirPath    # Manifest directory where sbom will be placed
+)
+
+. $PSScriptRoot\pipeline-logging-functions.ps1
+
+# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
+# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
+$ArtifactName = "${env:SYSTEM_STAGENAME}_${env:AGENT_JOBNAME}_SBOM"
+$SafeArtifactName = $ArtifactName -replace '["/:<>\\|?@*"() ]', '_'
+$SbomGenerationDir = Join-Path $ManifestDirPath $SafeArtifactName
+
+Write-Host "Artifact name before : $ArtifactName"
+Write-Host "Artifact name after : $SafeArtifactName"
+
+Write-Host "Creating dir $ManifestDirPath"
+
+# create directory for sbom manifest to be placed
+if (!(Test-Path -path $SbomGenerationDir))
+{
+  New-Item -ItemType Directory -path $SbomGenerationDir
+  Write-Host "Successfully created directory $SbomGenerationDir"
+}
+else{
+  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
+}
+
+Write-Host "Updating artifact name"
+Write-Host "##vso[task.setvariable variable=ARTIFACT_NAME]$SafeArtifactName"
diff --git a/eng/common/generate-sbom-prep.sh b/eng/common/generate-sbom-prep.sh
new file mode 100644
index 0000000000..b8ecca72bb
--- /dev/null
+++ b/eng/common/generate-sbom-prep.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+source="${BASH_SOURCE[0]}"
+
+# resolve $SOURCE until the file is no longer a symlink
+while [[ -h $source ]]; do
+  scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
+  source="$(readlink "$source")"
+
+  # if $source was a relative symlink, we need to resolve it relative to the path where the
+  # symlink file was located
+  [[ $source != /* ]] && source="$scriptroot/$source"
+done
+scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
+. $scriptroot/pipeline-logging-functions.sh
+
+
+# replace all special characters with _, some builds use special characters like : in Agent.Jobname, that is not a permissible name while uploading artifacts.
+artifact_name=$SYSTEM_STAGENAME"_"$AGENT_JOBNAME"_SBOM"
+safe_artifact_name="${artifact_name//["/:<>\\|?@*$" ]/_}"
+manifest_dir=$1
+
+# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
+# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
+sbom_generation_dir="$manifest_dir/$safe_artifact_name"
+
+if [ ! -d "$sbom_generation_dir" ] ; then
+  mkdir -p "$sbom_generation_dir"
+  echo "Sbom directory created." $sbom_generation_dir
+else
+  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
+fi
+
+echo "Artifact name before : "$artifact_name
+echo "Artifact name after : "$safe_artifact_name
+export ARTIFACT_NAME=$safe_artifact_name
+echo "##vso[task.setvariable variable=ARTIFACT_NAME]$safe_artifact_name"
+
+exit 0
diff --git a/eng/common/template-guidance.md b/eng/common/template-guidance.md
index e2b07a865f..4bf4cf41bd 100644
--- a/eng/common/template-guidance.md
+++ b/eng/common/template-guidance.md
@@ -82,6 +82,7 @@ eng\common\
             publish-build-artifacts.yml      (logic)
             publish-pipeline-artifacts.yml   (logic)
             component-governance.yml         (shim)
+            generate-sbom.yml                (shim)
             publish-logs.yml                 (shim)
             retain-build.yml                 (shim)
             send-to-helix.yml                (shim)
@@ -106,6 +107,7 @@ eng\common\
             setup-maestro-vars.yml           (logic)
         steps\
             component-governance.yml         (logic)
+            generate-sbom.yml                (logic)
             publish-build-artifacts.yml      (redirect)
             publish-logs.yml                 (logic)
             publish-pipeline-artifacts.yml   (redirect)
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index fed3caaea7..92a0664f56 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -1,15 +1,24 @@
 parameters:
+# Sbom related params
+  enableSbom: true
   runAsPublic: false
-# Sbom related params, unused now and can eventually be removed
-  enableSbom: unused
-  PackageVersion: unused
-  BuildDropPath: unused
+  PackageVersion: 9.0.0
+  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
   parameters:
     is1ESPipeline: true
 
+    componentGovernanceSteps:
+    - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
+      - template: /eng/common/templates/steps/generate-sbom.yml
+        parameters:
+          PackageVersion: ${{ parameters.packageVersion }}
+          BuildDropPath: ${{ parameters.buildDropPath }}
+          ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
+          publishArtifacts: false
+
     # publish artifacts
     # for 1ES managed templates, use the templateContext.output to handle multiple outputs.
     templateContext:
@@ -32,7 +41,7 @@ jobs:
             continueOnError: true
             condition: always()
             retryCountOnTaskFailure: 10 # for any logs being locked
-            isProduction: false
+            sbomEnabled: false  # we don't need SBOM for logs
 
       - ${{ if eq(parameters.enablePublishBuildArtifacts, true) }}:
         - output: buildArtifacts
@@ -42,7 +51,7 @@ jobs:
           ArtifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
           continueOnError: true
           condition: always()
-          #isProduction: false
+          sbomEnabled: false  # we don't need SBOM for logs
 
       - ${{ if eq(parameters.enableBuildRetry, 'true') }}:
         - output: pipelineArtifact
@@ -50,7 +59,14 @@ jobs:
           artifactName: 'BuildConfiguration'
           displayName: 'Publish build retry configuration'
           continueOnError: true
-          isProduction: false
+          sbomEnabled: false  # we don't need SBOM for BuildConfiguration
+
+      - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
+        - output: pipelineArtifact
+          displayName: Publish SBOM manifest
+          continueOnError: true
+          targetPath: $(Build.ArtifactStagingDirectory)/sbom
+          artifactName: $(ARTIFACT_NAME)
 
       # add any outputs provided via root yaml
       - ${{ if ne(parameters.templateContext.outputs, '') }}:
diff --git a/eng/common/templates-official/steps/component-governance.yml b/eng/common/templates-official/steps/component-governance.yml
new file mode 100644
index 0000000000..30bb3985ca
--- /dev/null
+++ b/eng/common/templates-official/steps/component-governance.yml
@@ -0,0 +1,7 @@
+steps:
+- template: /eng/common/core-templates/steps/component-governance.yml
+  parameters:
+    is1ESPipeline: true
+
+    ${{ each parameter in parameters }}:
+      ${{ parameter.key }}: ${{ parameter.value }}
diff --git a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
index 6a652ae1cf..172f9f0fdc 100644
--- a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
+++ b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
@@ -26,5 +26,3 @@ steps:
       properties: ${{ parameters.args.properties }}
     ${{ if parameters.args.sbomEnabled }}:
       sbomEnabled: ${{ parameters.args.sbomEnabled }}
-    ${{ if parameters.args.isProduction }}:
-      isProduction: ${{ parameters.args.isProduction }}
diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml
index d1b2352798..238fa0818f 100644
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@@ -1,12 +1,12 @@
 parameters: 
   enablePublishBuildArtifacts: false
+  disableComponentGovernance: ''
+  componentGovernanceIgnoreDirectories: ''
+# Sbom related params
+  enableSbom: true
   runAsPublic: false
-# CG related params, unused now and can eventually be removed
-  disableComponentGovernance: unused
-# Sbom related params, unused now and can eventually be removed
-  enableSbom: unused
-  PackageVersion: unused
-  BuildDropPath: unused
+  PackageVersion: 9.0.0
+  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
@@ -21,10 +21,17 @@ jobs:
     - ${{ each step in parameters.steps }}:
       - ${{ step }}
 
-    # we don't run CG in public
-    - ${{ if eq(variables['System.TeamProject'], 'public') }}:
-      - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
-        displayName: Set skipComponentGovernanceDetection variable
+    componentGovernanceSteps:
+    - template: /eng/common/templates/steps/component-governance.yml
+      parameters:
+        ${{ if eq(parameters.disableComponentGovernance, '') }}:
+          ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.runAsPublic, 'false'), or(startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/dotnet/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/microsoft/'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))) }}:
+            disableComponentGovernance: false
+          ${{ else }}:
+            disableComponentGovernance: true
+        ${{ else }}:
+          disableComponentGovernance: ${{ parameters.disableComponentGovernance }}
+        componentGovernanceIgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
 
     artifactPublishSteps:
     - ${{ if ne(parameters.artifacts.publish, '') }}:
@@ -51,7 +58,7 @@ jobs:
               continueOnError: true
               condition: always()
               retryCountOnTaskFailure: 10 # for any logs being locked
-              isProduction: false
+              sbomEnabled: false  # we don't need SBOM for logs
 
     - ${{ if ne(parameters.enablePublishBuildArtifacts, 'false') }}:
       - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
@@ -74,4 +81,4 @@ jobs:
             artifactName: 'BuildConfiguration'
             displayName: 'Publish build retry configuration'
             continueOnError: true
-            isProduction: false
+            sbomEnabled: false  # we don't need SBOM for BuildConfiguration
diff --git a/eng/common/templates/steps/component-governance.yml b/eng/common/templates/steps/component-governance.yml
new file mode 100644
index 0000000000..c12a5f8d21
--- /dev/null
+++ b/eng/common/templates/steps/component-governance.yml
@@ -0,0 +1,7 @@
+steps:
+- template: /eng/common/core-templates/steps/component-governance.yml
+  parameters:
+    is1ESPipeline: false
+
+    ${{ each parameter in parameters }}:
+      ${{ parameter.key }}: ${{ parameter.value }}
diff --git a/global.json b/global.json
index c621d71335..86892d7174 100644
--- a/global.json
+++ b/global.json
@@ -13,6 +13,6 @@
     }
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25569.110"
+    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25570.101"
   }
 }