Add pipauth to more ADO pipelines and enable CSV (#22612)

### Description
1. Add pipauth to more ADO pipeline. (We will use a private ADO feed to
fetch python packages in these pipeline, to improve security)
2. Enforce codeSignValidation(CSV).

### Motivation and Context
Fulfill some internal compliance requirements.

tools/ci_build/github/azure-pipelines/nuget-windows-ai.yml

@@ -19,6 +19,9 @@ extends:
     sdl:
       tsa:
         enabled: true
+      codeSignValidation:
+        enabled: true
+        break: true
       policheck:
         enabled: true
         exclusionsFile: '$(Build.SourcesDirectory)\tools\ci_build\policheck_exclusions.xml'

tools/ci_build/github/azure-pipelines/py-cuda-alt-packaging-pipeline.yml

@@ -28,7 +28,15 @@ extends:
   # For productions pipelines, use "Official".
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
-    # Update the pool with your team's 1ES hosted pool.
+    sdl:
+      tsa:
+        enabled: true
+      codeSignValidation:
+        enabled: true
+        break: true
+      policheck:
+        enabled: true
+        exclusionsFile: '$(Build.SourcesDirectory)\tools\ci_build\policheck_exclusions.xml'
     pool:
       name: 'onnxruntime-Win-CPU-2022'  # Name of your hosted pool
       os: windows  # OS of the image. This value cannot be a variable. Allowed values: windows, linux, macOS

tools/ci_build/github/azure-pipelines/py-cuda-packaging-pipeline.yml

@@ -30,7 +30,15 @@ extends:
   # For productions pipelines, use "Official".
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
-    # Update the pool with your team's 1ES hosted pool.
+    sdl:
+      tsa:
+        enabled: true
+      codeSignValidation:
+        enabled: true
+        break: true
+      policheck:
+        enabled: true
+        exclusionsFile: '$(Build.SourcesDirectory)\tools\ci_build\policheck_exclusions.xml'
     pool:
       name: 'onnxruntime-Win-CPU-2022'  # Name of your hosted pool
       os: windows  # OS of the image. This value cannot be a variable. Allowed values: windows, linux, macOS

tools/ci_build/github/azure-pipelines/py-dml-packaging-pipeline.yml

@@ -20,7 +20,16 @@ extends:
   # For productions pipelines, use "Official".
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
-    # Update the pool with your team's 1ES hosted pool.
+    sdl:
+      tsa:
+        enabled: true
+      codeSignValidation:
+        enabled: true
+        break: true
+      policheck:
+        enabled: true
+        exclusionsFile: '$(Build.SourcesDirectory)\tools\ci_build\policheck_exclusions.xml'
+
     pool:
       name: 'onnxruntime-Win-CPU-2022'  # Name of your hosted pool
       os: windows  # OS of the image. This value cannot be a variable. Allowed values: windows, linux, macOS

tools/ci_build/github/azure-pipelines/stages/py-win-gpu-stage.yml

@@ -85,6 +85,12 @@ stages:
               addToPath: true
               architecture: 'x64'
 
+          - task: PipAuthenticate@1
+            displayName: 'Pip Authenticate'
+            inputs:
+              artifactFeeds: 'Lotus'
+
+
           - template: ../templates/download-deps.yml
 
           - ${{ if ne(parameters.ENV_SETUP_SCRIPT, '') }}:

tools/ci_build/github/azure-pipelines/templates/py-win-arm64-qnn.yml

@@ -59,6 +59,11 @@ jobs:
           addToPath: true
           architecture: 'arm64'
 
+      - task: PipAuthenticate@1
+        displayName: 'Pip Authenticate'
+        inputs:
+          artifactFeeds: 'Lotus'
+
       - task: onebranch.pipeline.tsaoptions@1
         displayName: 'OneBranch TSAOptions'
         inputs:

tools/ci_build/github/azure-pipelines/templates/py-win-arm64ec-qnn.yml

@@ -50,6 +50,11 @@ jobs:
           addToPath: true
           architecture: 'x64'
 
+      - task: PipAuthenticate@1
+        displayName: 'Pip Authenticate'
+        inputs:
+          artifactFeeds: 'Lotus'
+
       - task: onebranch.pipeline.tsaoptions@1
         displayName: 'OneBranch TSAOptions'
         inputs:

tools/ci_build/github/azure-pipelines/templates/py-win-x64-qnn.yml

@@ -50,6 +50,11 @@ jobs:
           addToPath: true
           architecture: 'x64'
 
+      - task: PipAuthenticate@1
+        displayName: 'Pip Authenticate'
+        inputs:
+          artifactFeeds: 'Lotus'
+
       - task: onebranch.pipeline.tsaoptions@1
         displayName: 'OneBranch TSAOptions'
         inputs:

tools/ci_build/github/azure-pipelines/templates/win-ci.yml

@@ -118,8 +118,19 @@ stages:
         clean: true
         submodules: none
 
+      - task: UsePythonVersion@0
+        inputs:
+          versionSpec: '3.12'
+          addToPath: true
+          architecture: ${{ parameters.buildArch }}
+
       - template: telemetry-steps.yml
 
+      - task: PipAuthenticate@1
+        displayName: 'Pip Authenticate'
+        inputs:
+          artifactFeeds: 'Lotus'
+
       - ${{ if eq(parameters['buildJava'], 'true') }}:
         - task: JavaToolInstaller@0
           inputs:
@@ -127,11 +138,6 @@ stages:
             jdkArchitectureOption: ${{ parameters.buildArch }}
             jdkSourceOption: 'PreInstalled'
 
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: '3.12'
-          addToPath: true
-          architecture: ${{ parameters.buildArch }}
 
       - task: NodeTool@0
         condition: and(succeeded(), eq('${{ parameters.buildNodejs}}', true))
@@ -364,6 +370,11 @@ stages:
             addToPath: true
             architecture: ${{ parameters.buildArch }}
 
+        - task: PipAuthenticate@1
+          displayName: 'Pip Authenticate'
+          inputs:
+            artifactFeeds: 'Lotus'
+
         - task: NodeTool@0
           condition: and(succeeded(), eq('${{ parameters.buildNodejs}}', true))
           inputs:

tools/ci_build/github/azure-pipelines/templates/windowsai-steps.yml

@@ -32,7 +32,7 @@ jobs:
     - task: PipAuthenticate@1
       displayName: 'Pip Authenticate'
       inputs:
-        artifactFeeds: 'PublicPackages/ORT-Nightly'
+        artifactFeeds: 'Lotus'
 
     - template: telemetry-steps.yml
 
@@ -87,10 +87,8 @@ jobs:
 
     # must call vsdevcmd first to add cmake to PATH
     - script: |
-        curl -O -L https://github.com/Kitware/CMake/releases/download/v3.28.3/cmake-3.28.3-windows-x86_64.zip
-        7z x cmake-3.28.3-windows-x86_64.zip
         python --version
-        python "$(Build.SourcesDirectory)\tools\ci_build\build.py" --build_dir $(Build.BinariesDirectory) --parallel --use_binskim_compliant_compile_flags --build_shared_lib --enable_onnx_tests --ms_experimental --use_dml --use_winml --cmake_generator "Visual Studio 17 2022" --update --config RelWithDebInfo --enable_lto --use_telemetry --disable_rtti --enable_wcos --windows_sdk_version "10.0.22621.0" $(BuildFlags) --cmake_extra_defines "CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO=/PROFILE" "CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO=/PROFILE"  --cmake_path $(Build.BinariesDirectory)\cmake-3.28.3-windows-x86_64\bin\cmake.exe --ctest_path $(Build.BinariesDirectory)\cmake-3.28.3-windows-x86_64\bin\ctest.exe
+        python "$(Build.SourcesDirectory)\tools\ci_build\build.py" --build_dir $(Build.BinariesDirectory) --parallel --use_binskim_compliant_compile_flags --build_shared_lib --enable_onnx_tests --ms_experimental --use_dml --use_winml --cmake_generator "Visual Studio 17 2022" --update --config RelWithDebInfo --enable_lto --use_telemetry --disable_rtti --enable_wcos --windows_sdk_version "10.0.22621.0" $(BuildFlags) --cmake_extra_defines "CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO=/PROFILE" "CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO=/PROFILE"
       workingDirectory: '$(Build.BinariesDirectory)'
       displayName: 'Generate cmake config'