From deb797f0be2a9a8a2e07b95eb26b216bfec6e329 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 14:38:21 -0700
Subject: [PATCH 01/10] Route getStaleImages base lookups through staging
 mirror

copyBaseImages already imports every base image into the internal
staging ACR ('mirror/' prefix) immediately before getStaleImages runs,
but getStaleImages was still resolving FROM tags against docker.io.
That path is unreachable from the internal 1ES pool, so the command
hangs for 30s on each Docker Hub base image and the job fails.

Rewrite any non-MCR / non-*.azurecr.io FROM reference to the staging
mirror via --base-override-regex/--base-override-sub. The job already
authenticates to InternalMirrorRegistry via reference-service-connections,
so no credential changes are needed. Also drops the buildtools-only
override (which never matched the actual library/<distro> FROM lines).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 eng/pipelines/templates/jobs/check-base-image-updates.yml  | 7 ++-----
 .../templates/stages/check-base-image-updates.yml          | 1 -
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index 372a44b83..ac5b34a28 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -20,10 +20,6 @@ parameters:
 # Schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
 - name: publishConfig
   type: object
-# Additional arguments to pass to the getStaleImages command (optional).
-- name: customGetStaleImagesArgs
-  type: string
-  default: ""
 
 jobs:
 - job: ${{ parameters.jobName }}
@@ -56,7 +52,8 @@ jobs:
       $(dotnetDockerBot.email)
       --gh-token $(BotAccount-dotnet-docker-bot-PAT)
       staleImagePaths
-      ${{ parameters.customGetStaleImagesArgs }}
+      --base-override-regex '^(?!mcr\.microsoft\.com/|[^/]+\.azurecr\.io/)'
+      --base-override-sub '${{ parameters.publishConfig.InternalMirrorRegistry.server }}/${{ parameters.publishConfig.InternalMirrorRegistry.repoPrefix }}'
       --subscriptions-path ${{ parameters.subscriptionsPath }}
       --os-type '*'
       --architecture '*'
diff --git a/eng/pipelines/templates/stages/check-base-image-updates.yml b/eng/pipelines/templates/stages/check-base-image-updates.yml
index d2c857247..9650a1d25 100644
--- a/eng/pipelines/templates/stages/check-base-image-updates.yml
+++ b/eng/pipelines/templates/stages/check-base-image-updates.yml
@@ -31,7 +31,6 @@ stages:
     parameters:
       jobName: CheckBaseImages_BuildTools
       subscriptionsPath: eng/check-base-image-subscriptions-buildtools.json
-      customGetStaleImagesArgs: --base-override-regex '^((centos|debian|ubuntu):.+)' --base-override-sub '$(overrideRegistry)/$1'
       publicProjectName: ${{ parameters.publicProjectName }}
       internalProjectName: ${{ parameters.internalProjectName }}
       publishConfig: ${{ parameters.publishConfig }}

From d17f3e449c61e57d97a4e6d1dd7ef24404b7b877 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 15:09:06 -0700
Subject: [PATCH 02/10] Set SYSTEM_ACCESSTOKEN

---
 eng/pipelines/templates/jobs/check-base-image-updates.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index ac5b34a28..c5467395b 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -46,7 +46,7 @@ jobs:
       additionalOptions: "--subscriptions-path '${{ parameters.subscriptionsPath }}'"
 
   - script: >
-      $(runImageBuilderCmd)
+      $(runAuthedImageBuilderCmd)
       getStaleImages
       $(dotnetDockerBot.userName)
       $(dotnetDockerBot.email)
@@ -60,6 +60,9 @@ jobs:
       $(dockerHubRegistryCreds)
     displayName: Get Stale Images
     name: GetStaleImages
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+      SYSTEM_OIDCREQUESTURI: $(System.OidcRequestUri)
 
   - script: >
       $(runImageBuilderCmd)

From 3925e841acb04819ece2390bd2b3483659218233 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 15:58:16 -0700
Subject: [PATCH 03/10] Use ImageNameResolver for staging mirror lookups in
 getStaleImages

The previous --base-override-regex/sub approach rewrote external FROM
tags to point at the staging mirror, but the rewritten repo prefix
also leaked into the digest comparison string. image-info.json stores
the digest against the canonical (public) repo, so every rewritten
image compared unequal and was reported stale on every run.

Switch getStaleImages to the same mechanism the build/matrix flow
already uses:
- Add --registry-override and --source-repo-prefix options (mirroring
  what ManifestOptions exposes and what copyBaseImages consumes).
- Construct ImageNameResolverForMatrix per subscription manifest.
  GetFromImagePullTag returns the staging mirror location for fetching
  the digest; GetFromImagePublicTag returns the canonical reference
  used to build the digest comparison string.

The pipeline yml now passes --registry-override / --source-repo-prefix
in place of the regex pair, matching how the copyBaseImages step in
the same job is invoked. --base-override-regex/sub remains supported
for genuine one-off overrides.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../jobs/check-base-image-updates.yml         |  4 +-
 .../Commands/GetStaleImagesCommand.cs         | 38 +++++++++++++++----
 .../Commands/GetStaleImagesOptions.cs         | 21 ++++++++++
 3 files changed, 53 insertions(+), 10 deletions(-)

diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index c5467395b..8f743cd0c 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -52,8 +52,8 @@ jobs:
       $(dotnetDockerBot.email)
       --gh-token $(BotAccount-dotnet-docker-bot-PAT)
       staleImagePaths
-      --base-override-regex '^(?!mcr\.microsoft\.com/|[^/]+\.azurecr\.io/)'
-      --base-override-sub '${{ parameters.publishConfig.InternalMirrorRegistry.server }}/${{ parameters.publishConfig.InternalMirrorRegistry.repoPrefix }}'
+      --registry-override '${{ parameters.publishConfig.InternalMirrorRegistry.server }}'
+      --source-repo-prefix '${{ parameters.publishConfig.InternalMirrorRegistry.repoPrefix }}'
       --subscriptions-path ${{ parameters.subscriptionsPath }}
       --os-type '*'
       --architecture '*'
diff --git a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
index 4129afbc8..56f86732e 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
@@ -55,7 +55,11 @@ public override async Task ExecuteAsync()
 
             IEnumerable<Task<SubscriptionImagePaths>> getPathResults =
                 SubscriptionHelper.GetSubscriptionManifests(
-                    Options.SubscriptionOptions.SubscriptionsPath, Options.FilterOptions, _gitService, _manifestJsonService)
+                    Options.SubscriptionOptions.SubscriptionsPath,
+                    Options.FilterOptions,
+                    _gitService,
+                    _manifestJsonService,
+                    manifestOptions => manifestOptions.RegistryOverride = Options.RegistryOverride)
                 .Select(async subscriptionManifest =>
                     new SubscriptionImagePaths
                     {
@@ -87,6 +91,12 @@ private async Task<IEnumerable<string>> GetPathsToRebuildAsync(Models.Subscripti
         {
             ImageArtifactDetails imageArtifactDetails = await GetImageInfoForSubscriptionAsync(subscription, manifest);
 
+            ImageNameResolverForMatrix imageNameResolver = new(
+                Options.BaseImageOverrideOptions,
+                manifest,
+                repoPrefix: null,
+                sourceRepoPrefix: Options.SourceRepoPrefix);
+
             List<string> pathsToRebuild = new();
 
             foreach (RepoInfo repo in manifest.FilteredRepos)
@@ -97,7 +107,8 @@ private async Task<IEnumerable<string>> GetPathsToRebuildAsync(Models.Subscripti
 
                 foreach (PlatformInfo platform in platforms)
                 {
-                    pathsToRebuild.AddRange(await GetPathsToRebuildAsync(manifest, platform, repo, imageArtifactDetails));
+                    pathsToRebuild.AddRange(
+                        await GetPathsToRebuildAsync(manifest, platform, repo, imageArtifactDetails, imageNameResolver));
                 }
             }
 
@@ -109,7 +120,11 @@ private static IEnumerable<PlatformInfo> GetDescendants(PlatformInfo platform, M
                 .Prepend(platform);
 
         private async Task<List<string>> GetPathsToRebuildAsync(
-            ManifestInfo manifest, PlatformInfo platform, RepoInfo repo, ImageArtifactDetails imageArtifactDetails)
+            ManifestInfo manifest,
+            PlatformInfo platform,
+            RepoInfo repo,
+            ImageArtifactDetails imageArtifactDetails,
+            ImageNameResolverForMatrix imageNameResolver)
         {
             string? fromImage = platform.FinalStageFromImage;
             if (fromImage is null)
@@ -129,19 +144,26 @@ private async Task<List<string>> GetPathsToRebuildAsync(
                 return dependentPlatforms.Select(p => p.Model.Dockerfile).ToList();
             }
 
-            fromImage = Options.BaseImageOverrideOptions.ApplyBaseImageOverride(fromImage);
+            // Resolve where to actually fetch the digest from. For external base images this
+            // points to the mirror location in the staging registry; for internal images it is
+            // the original FROM tag. The "public" form is the canonical reference matching what
+            // gets recorded in image-info.json and so is the right repo to use in the digest
+            // comparison string below.
+            string pullTag = imageNameResolver.GetFromImagePullTag(fromImage);
+            string publicTag = imageNameResolver.GetFromImagePublicTag(fromImage);
 
-            string currentDigest = await LockHelper.DoubleCheckedLockLookupAsync(_imageDigestsLock, _imageDigests, fromImage,
+            string currentDigest = await LockHelper.DoubleCheckedLockLookupAsync(_imageDigestsLock, _imageDigests, pullTag,
                 async () =>
                 {
-                    string digest = await _manifestService.Value.GetManifestDigestShaAsync(fromImage, Options.IsDryRun);
-                    return DockerHelper.GetDigestString(DockerHelper.GetRepo(fromImage), digest);
+                    string digest = await _manifestService.Value.GetManifestDigestShaAsync(pullTag, Options.IsDryRun);
+                    return DockerHelper.GetDigestString(DockerHelper.GetRepo(publicTag), digest);
                 });
 
             bool rebuildImage = matchingPlatform.Value.Platform.BaseImageDigest != currentDigest;
 
             _logger.LogInformation(
-                $"Checking base image '{fromImage}' from '{platform.DockerfilePath}'{Environment.NewLine}"
+                $"Checking base image '{publicTag}' from '{platform.DockerfilePath}'{Environment.NewLine}"
+                + $"\tPulled from:          {pullTag}{Environment.NewLine}"
                 + $"\tLast build digest:    {matchingPlatform.Value.Platform.BaseImageDigest}{Environment.NewLine}"
                 + $"\tCurrent digest:       {currentDigest}{Environment.NewLine}"
                 + $"\tImage is up-to-date:  {!rebuildImage}{Environment.NewLine}");
diff --git a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
index cb41145be..ede654504 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
@@ -23,6 +23,10 @@ public class GetStaleImagesOptions : Options, IFilterableOptions, IGitOptionsHos
 
         public BaseImageOverrideOptions BaseImageOverrideOptions { get; set; } = new();
 
+        public string? RegistryOverride { get; set; }
+
+        public string? SourceRepoPrefix { get; set; }
+
         private static readonly GitOptionsBuilder GitBuilder = GitOptionsBuilder.BuildForRepositoryOperations();
 
         private static readonly Argument<string> VariableNameArgument = new(nameof(VariableName))
@@ -30,6 +34,19 @@ public class GetStaleImagesOptions : Options, IFilterableOptions, IGitOptionsHos
             Description = "The Azure Pipeline variable name to assign the image paths to"
         };
 
+        private static readonly Option<string?> RegistryOverrideOption = new($"--{ManifestOptions.RegistryOverrideName}")
+        {
+            Description = "Alternative registry that overrides the registry defined in each subscription's manifest. " +
+                "Used together with --source-repo-prefix to redirect external base image lookups to a mirror location."
+        };
+
+        private static readonly Option<string?> SourceRepoPrefixOption = new("--source-repo-prefix")
+        {
+            Description = "Repo prefix used to locate mirrored external base images in the overridden registry " +
+                "(e.g. 'mirror/'). Combined with --registry-override, external FROM tags are resolved against " +
+                "'<registry-override>/<source-repo-prefix><original-repo>:<tag>' instead of their public source."
+        };
+
         public override IEnumerable<Option> GetCliOptions() =>
         [
             ..base.GetCliOptions(),
@@ -38,6 +55,8 @@ public override IEnumerable<Option> GetCliOptions() =>
             ..GitBuilder.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
             ..BaseImageOverrideOptions.GetCliOptions(),
+            RegistryOverrideOption,
+            SourceRepoPrefixOption,
         ];
 
         public override IEnumerable<Argument> GetCliArguments() =>
@@ -64,6 +83,8 @@ public override void Bind(ParseResult result)
             GitBuilder.Bind(result, GitOptions);
             CredentialsOptions.Bind(result);
             BaseImageOverrideOptions.Bind(result);
+            RegistryOverride = result.GetValue(RegistryOverrideOption);
+            SourceRepoPrefix = result.GetValue(SourceRepoPrefixOption);
             VariableName = result.GetValue(VariableNameArgument) ?? string.Empty;
         }
     }

From 080f1d6ca77d4026875c40bd1e6c7b187f878f38 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 15:58:16 -0700
Subject: [PATCH 04/10] Cache only the SHA in GetStaleImagesCommand digest
 lookup

Two different FROM spellings can normalize to the same pull tag
(e.g. 'almalinux:8' and 'library/almalinux:8' both pull from
'<staging>/mirror/library/almalinux:8') but produce different public
tags. The previous code cached the full '<repo>@<sha>' comparison
string by pull tag, which meant the second lookup could reuse the
first FROM's public repo prefix and falsely mark the image as stale.

Cache only the raw SHA so the comparison string is always built from
the current platform's own public tag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/ImageBuilder/Commands/GetStaleImagesCommand.cs | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
index 56f86732e..67a88d629 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
@@ -152,12 +152,14 @@ private async Task<List<string>> GetPathsToRebuildAsync(
             string pullTag = imageNameResolver.GetFromImagePullTag(fromImage);
             string publicTag = imageNameResolver.GetFromImagePublicTag(fromImage);
 
-            string currentDigest = await LockHelper.DoubleCheckedLockLookupAsync(_imageDigestsLock, _imageDigests, pullTag,
-                async () =>
-                {
-                    string digest = await _manifestService.Value.GetManifestDigestShaAsync(pullTag, Options.IsDryRun);
-                    return DockerHelper.GetDigestString(DockerHelper.GetRepo(publicTag), digest);
-                });
+            // Cache only the raw SHA by pull location. Two different FROM spellings
+            // can normalize to the same pull tag (e.g. 'almalinux:8' and 'library/almalinux:8')
+            // but produce different public tags; the digest comparison string must always
+            // be built from the current platform's own public tag.
+            string sha = await LockHelper.DoubleCheckedLockLookupAsync(_imageDigestsLock, _imageDigests, pullTag,
+                () => _manifestService.Value.GetManifestDigestShaAsync(pullTag, Options.IsDryRun));
+
+            string currentDigest = DockerHelper.GetDigestString(DockerHelper.GetRepo(publicTag), sha);
 
             bool rebuildImage = matchingPlatform.Value.Platform.BaseImageDigest != currentDigest;
 

From 8eb630cfb29d12e8a3e66e26dff05264455d99dd Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 06:29:33 -0700
Subject: [PATCH 05/10] Add bootstrap

---
 eng/pipelines/check-base-image-updates.yml            | 11 +++++++++++
 .../templates/jobs/check-base-image-updates.yml       |  9 +++++++++
 .../templates/stages/check-base-image-updates.yml     |  8 ++++++++
 3 files changed, 28 insertions(+)

diff --git a/eng/pipelines/check-base-image-updates.yml b/eng/pipelines/check-base-image-updates.yml
index 23173848a..fa084cda6 100644
--- a/eng/pipelines/check-base-image-updates.yml
+++ b/eng/pipelines/check-base-image-updates.yml
@@ -1,6 +1,15 @@
 trigger: none
 pr: none
 
+parameters:
+- name: bootstrapImageBuilder
+  displayName: >
+    Build ImageBuilder from source at the start of every job instead of pulling
+    the pre-built image from MCR. Use this option during development to
+    validate changes to ImageBuilder and pipeline templates at the same time.
+  type: boolean
+  default: false
+
 schedules:
 - cron: "0 0,4,8,12,16,20 * * *"
   displayName: Daily build
@@ -21,3 +30,5 @@ extends:
     - template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self
       parameters:
         stagesTemplate: /eng/pipelines/templates/stages/check-base-image-updates.yml@self
+        stagesTemplateParameters:
+          bootstrapImageBuilder: ${{ parameters.bootstrapImageBuilder }}
diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index 8f743cd0c..cfa99473e 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -20,6 +20,12 @@ parameters:
 # Schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
 - name: publishConfig
   type: object
+# When true, build ImageBuilder from source instead of pulling from MCR. Used
+# during development to validate ImageBuilder and pipeline template changes
+# together before a new ImageBuilder image is published.
+- name: bootstrapImageBuilder
+  type: boolean
+  default: false
 
 jobs:
 - job: ${{ parameters.jobName }}
@@ -33,6 +39,9 @@ jobs:
     parameters:
       dockerClientOS: linux
       publishConfig: ${{ parameters.publishConfig }}
+      ${{ if eq(parameters.bootstrapImageBuilder, true) }}:
+        customInitSteps:
+        - template: /eng/pipelines/templates/steps/bootstrap-imagebuilder.yml@self
 
   - template: /eng/docker-tools/templates/steps/reference-service-connections.yml@self
     parameters:
diff --git a/eng/pipelines/templates/stages/check-base-image-updates.yml b/eng/pipelines/templates/stages/check-base-image-updates.yml
index 9650a1d25..e5c877d60 100644
--- a/eng/pipelines/templates/stages/check-base-image-updates.yml
+++ b/eng/pipelines/templates/stages/check-base-image-updates.yml
@@ -12,6 +12,12 @@ parameters:
 # The name of the public Azure DevOps project (e.g., "public").
 - name: publicProjectName
   type: string
+# When true, build ImageBuilder from source instead of pulling from MCR. Used
+# during development to validate ImageBuilder and pipeline template changes
+# together before a new ImageBuilder image is published.
+- name: bootstrapImageBuilder
+  type: boolean
+  default: false
 
 stages:
 - stage: CheckBaseImages
@@ -26,6 +32,7 @@ stages:
       publicProjectName: ${{ parameters.publicProjectName }}
       internalProjectName: ${{ parameters.internalProjectName }}
       publishConfig: ${{ parameters.publishConfig }}
+      bootstrapImageBuilder: ${{ parameters.bootstrapImageBuilder }}
 
   - template: /eng/pipelines/templates/jobs/check-base-image-updates.yml@self
     parameters:
@@ -34,3 +41,4 @@ stages:
       publicProjectName: ${{ parameters.publicProjectName }}
       internalProjectName: ${{ parameters.internalProjectName }}
       publishConfig: ${{ parameters.publishConfig }}
+      bootstrapImageBuilder: ${{ parameters.bootstrapImageBuilder }}

From a52b5e5ec4ef021f84eccd9d9cd1ed7c300ddef5 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 18:00:01 -0700
Subject: [PATCH 06/10] Remove BaseImageOverrideOptions and
 --base-override-regex/--base-override-sub

The same redirect-to-mirror behavior is expressible via the existing
--registry-override + --source-repo-prefix pair, which is type-checked
rather than an opaque regex/replacement and is already used by every
non-trivial caller (build, copyBaseImages, generateBuildMatrix matrix
flow). The regex form survived as a parallel mechanism but is no
longer needed.

Changes:
- Delete BaseImageOverrideOptions and its two ApplyBaseImageOverride
  call sites in ImageNameResolver (GetFromImagePublicTag and
  GetFromImageTag).
- Drop BaseImageOverrideOptions from BuildOptions, BuildCommand,
  GenerateBuildMatrixOptions, GenerateBuildMatrixCommand,
  CopyBaseImagesOptions, CopyBaseImagesCommand, GetStaleImagesOptions,
  GetStaleImagesCommand.
- Update init-common.yml public-build branch to use
  '--source-repo-prefix "" --registry-override <public-mirror>'
  instead of the regex pair.
- Delete the three tests that exercised the regex form
  (BuildCommand_MirroredImages_BaseImageTagOverride,
  CopyBaseImagesCommand.OverridenBaseTag,
  GetStaleImagesCommand_BaseImageTagOverride). Their scenarios have no
  semantic analogue under the registry/prefix system.
- Document the breaking change in eng/docker-tools/CHANGELOG.md,
  including migration notes for downstream repos and a note about the
  inert custom override file in dotnet-buildtools-prereqs-docker.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 eng/docker-tools/CHANGELOG.md                 |  19 +++
 .../templates/steps/init-common.yml           |   2 +-
 src/ImageBuilder.Tests/BuildCommandTests.cs   | 139 ------------------
 .../CopyBaseImagesCommandTests.cs             |  73 ---------
 .../GetStaleImagesCommandTests.cs             |  92 ------------
 .../Commands/BaseImageOverrideOptions.cs      |  69 ---------
 src/ImageBuilder/Commands/BuildCommand.cs     |   3 -
 src/ImageBuilder/Commands/BuildOptions.cs     |   4 -
 .../Commands/CopyBaseImagesCommand.cs         |   5 +-
 .../Commands/CopyBaseImagesOptions.cs         |   5 -
 .../Commands/GenerateBuildMatrixCommand.cs    |   2 +-
 .../Commands/GenerateBuildMatrixOptions.cs    |   4 -
 .../Commands/GetStaleImagesCommand.cs         |   1 -
 .../Commands/GetStaleImagesOptions.cs         |   4 -
 src/ImageBuilder/ImageNameResolver.cs         |  28 +---
 15 files changed, 30 insertions(+), 420 deletions(-)
 delete mode 100644 src/ImageBuilder/Commands/BaseImageOverrideOptions.cs

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index 99dbceb69..dc805b62c 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,6 +4,25 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
+## 2026-05-22: Remove `--base-override-regex` / `--base-override-sub`
+
+ImageBuilder's `--base-override-regex` and `--base-override-sub` options have been removed from the `build`, `buildMatrix`, `copyBaseImages`, and `getStaleImages` commands. The same redirection to a mirror registry is expressed by the existing `--registry-override` + `--source-repo-prefix` pair, which is type-checked rather than an opaque regex/replacement and handles the digest-comparison path correctly.
+
+`init-common.yml` has been updated to use the new options for the public-build mirror redirect.
+
+**Migration for downstream repos:**
+
+If you invoke ImageBuilder directly with `--base-override-regex/--base-override-sub`, replace them with `--registry-override <server>` and `--source-repo-prefix <prefix>`. Example:
+
+```diff
+- --base-override-regex '^(?!mcr\.microsoft\.com)' --base-override-sub '$(public-mirror.server)/'
++ --source-repo-prefix '' --registry-override '$(public-mirror.server)'
+```
+
+The `dotnet-buildtools-prereqs-docker` repo has a custom `eng/pipelines/steps/set-base-image-override-options.yml` that uses these options. Its current configuration matches no current Dockerfile FROM line (Dockerfiles use `library/<distro>:<tag>` rather than `<distro>:<tag>`), so removing the file and its two call sites in `eng/pipelines/stages/dotnet-buildtools-prereqs.yml` is a no-op behaviorally.
+
+---
+
 ## 2026-04-02: Extra Docker build options can be passed through ImageBuilder
 
 - Pull request: [#2063](https://github.com/dotnet/docker-tools/pull/2063)
diff --git a/eng/docker-tools/templates/steps/init-common.yml b/eng/docker-tools/templates/steps/init-common.yml
index eda572618..03c5babba 100644
--- a/eng/docker-tools/templates/steps/init-common.yml
+++ b/eng/docker-tools/templates/steps/init-common.yml
@@ -99,7 +99,7 @@ steps:
       }
 
       if ("$(System.TeamProject)" -eq "public" -and "$(public-mirror.server)" -ne "") {
-        $commonMatrixAndBuildOptions = "$commonMatrixAndBuildOptions --base-override-regex '^(?!mcr\.microsoft\.com)' --base-override-sub '$(public-mirror.server)/'"
+        $commonMatrixAndBuildOptions = "$commonMatrixAndBuildOptions --source-repo-prefix '' --registry-override '$(public-mirror.server)'"
       }
 
       Write-Host "Setting commonMatrixAndBuildOptions to '$commonMatrixAndBuildOptions'"
diff --git a/src/ImageBuilder.Tests/BuildCommandTests.cs b/src/ImageBuilder.Tests/BuildCommandTests.cs
index ba056b212..37617f1e2 100644
--- a/src/ImageBuilder.Tests/BuildCommandTests.cs
+++ b/src/ImageBuilder.Tests/BuildCommandTests.cs
@@ -3501,145 +3501,6 @@ public async Task BuildCommand_MirroredImages_External(string baseImageRegistry,
             dockerServiceMock.VerifyNoOtherCalls();
         }
 
-        /// <summary>
-        /// Tests the logic of image mirroring when the base image tag is configured to be overriden.
-        /// </summary>
-        [Fact]
-        public async Task BuildCommand_MirroredImages_BaseImageTagOverride()
-        {
-            const string RegistryOverride = "dotnetdocker.azurecr.io";
-            const string SamplesRepo = "samples";
-            const string RuntimeDigest = "sha256:adc914a9f125ca612f9a67e4a0551937b7a37c82fabb46172c4867b73ed99227";
-            const string SampleDigest = "sha256:781914a9f125ca612f9a67e4a0551937b7a37c82fabb46172c4867b73ed0045a";
-            const string ImageTag = "tag";
-            const string SourceRepoPrefix = "mirror/";
-            const string CustomRegistry = "contoso.azurecr.io";
-            const string SourceRepo = "amd64/os";
-            const string SrcBaseTag = $"{SourceRepo}:tag";
-            const string MirroredBaseTag = "os:tag";
-
-            using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
-            Mock<IDockerService> dockerServiceMock = CreateDockerServiceMock();
-
-            string baseImageRepoPrefix = $"{RegistryOverride}/{SourceRepoPrefix}{CustomRegistry}";
-
-            Mock<IManifestService> manifestServiceMock = CreateManifestServiceMock([
-                new($"{baseImageRepoPrefix}/{MirroredBaseTag}", $"{baseImageRepoPrefix}/{MirroredBaseTag}@{RuntimeDigest}"),
-                new($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", $"{RegistryOverride}/{SamplesRepo}@{SampleDigest}"),
-            ], []);
-
-            const string dockerfileCommitSha = "mycommit";
-            Mock<IGitService> gitServiceMock = new();
-            gitServiceMock
-                .Setup(o => o.GetCommitSha(It.IsAny<string>(), It.IsAny<bool>()))
-                .Returns(dockerfileCommitSha);
-
-            BuildCommand command = CreateBuildCommand(
-                dockerService: dockerServiceMock.Object,
-                gitService: gitServiceMock.Object,
-                copyImageService: Mock.Of<ICopyImageService>(),
-                manifestServiceFactory: CreateManifestServiceFactoryMock(manifestServiceMock).Object,
-                imageCacheService: new ImageCacheService(Mock.Of<ILogger<ImageCacheService>>(), gitServiceMock.Object));
-            command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
-            command.Options.ImageInfoOutputPath = Path.Combine(tempFolderContext.Path, "image-info.json");
-            command.Options.IsPushEnabled = true;
-            command.Options.SourceRepoUrl = "https://github.com/dotnet/test";
-            command.Options.RegistryOverride = RegistryOverride;
-            command.Options.SourceRepoPrefix = SourceRepoPrefix;
-            command.Options.BaseImageOverrideOptions.RegexPattern = @".*\/(.*)";
-            command.Options.BaseImageOverrideOptions.Substitution = $"{CustomRegistry}/$1";
-
-            Manifest manifest = CreateManifest(
-                CreateRepo(SamplesRepo,
-                    CreateImage(
-                        new Platform[]
-                        {
-                            CreatePlatform(
-                                DockerfileHelper.CreateDockerfile(
-                                    "1.0/samples/os", tempFolderContext, SrcBaseTag),
-                                new string[] { ImageTag })
-                        },
-                        productVersion: "1.0.1"))
-            );
-            manifest.Registry = "mcr.microsoft.com";
-
-            File.WriteAllText(Path.Combine(tempFolderContext.Path, command.Options.Manifest), JsonConvert.SerializeObject(manifest));
-
-            command.LoadManifest();
-            await command.ExecuteAsync();
-
-            ImageArtifactDetails imageArtifactDetails = new()
-            {
-                Repos =
-                    {
-                        new RepoData
-                        {
-                            Repo = "samples",
-                            Images =
-                            {
-                                new ImageData
-                                {
-                                    ProductVersion = "1.0.1",
-                                    Platforms =
-                                    {
-                                        new PlatformData
-                                        {
-                                            Dockerfile = "1.0/samples/os/Dockerfile",
-                                            Architecture = "amd64",
-                                            OsType = "Linux",
-                                            OsVersion = "noble",
-                                            Digest = $"{manifest.Registry}/{SamplesRepo}@{SampleDigest}",
-
-                                            // This is the key change. The digest should be referring to the image from the
-                                            // override, not what's defined in the Dockerfile.
-                                            BaseImageDigest = $"{CustomRegistry}/os@{RuntimeDigest}",
-
-                                            Created = DateTime.MinValue.ToUniversalTime(),
-                                            CommitUrl = $"{command.Options.SourceRepoUrl}/blob/{dockerfileCommitSha}/1.0/samples/os/Dockerfile",
-                                            SimpleTags =
-                                            {
-                                                ImageTag
-                                            },
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-            };
-
-            string expectedOutput = JsonHelper.SerializeObject(imageArtifactDetails);
-            string actualOutput = File.ReadAllText(command.Options.ImageInfoOutputPath);
-
-            Assert.Equal(expectedOutput, actualOutput);
-
-            dockerServiceMock.Verify(
-                o => o.BuildImage(
-                    It.IsAny<string>(),
-                    It.IsAny<string>(),
-                    It.IsAny<string>(),
-                    It.IsAny<IEnumerable<string>>(),
-                    It.IsAny<IDictionary<string, string>>(),
-                    It.IsAny<IEnumerable<string>>(),
-                    It.IsAny<bool>(),
-                    It.IsAny<bool>()));
-            dockerServiceMock.Verify(
-                o => o.GetImageSize($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", false));
-
-            dockerServiceMock.Verify(o => o.PullImage($"{baseImageRepoPrefix}/{MirroredBaseTag}", "linux/amd64", false));
-            manifestServiceMock.Verify(o => o.GetLocalImageDigestAsync($"{baseImageRepoPrefix}/{MirroredBaseTag}", false));
-            manifestServiceMock.Verify(o => o.GetLocalImageDigestAsync($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", false));
-            dockerServiceMock.Verify(o => o.PushImage($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", false));
-            dockerServiceMock.Verify(o => o.GetCreatedDate($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", false));
-            manifestServiceMock.Verify(o => o.GetImageLayersAsync($"{RegistryOverride}/{SamplesRepo}:{ImageTag}", false));
-
-            dockerServiceMock.Verify(o =>
-                o.CreateTag($"{baseImageRepoPrefix}/{MirroredBaseTag}", SrcBaseTag, false));
-            dockerServiceMock.Verify(o => o.GetImageArch($"{baseImageRepoPrefix}/{MirroredBaseTag}", false));
-
-            dockerServiceMock.VerifyNoOtherCalls();
-        }
-
         #nullable enable
         private static BuildCommand CreateBuildCommand(
             IManifestJsonService? manifestJsonService = null,
diff --git a/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs b/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs
index e1525d39f..d2e0581ba 100644
--- a/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs
+++ b/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs
@@ -101,78 +101,5 @@ public async Task MultipleBaseTags()
 
             copyImageServiceMock.VerifyNoOtherCalls();
         }
-
-        /// <summary>
-        /// Verifies that we can dynamically override the base image tag that's defined in the Dockerfile with a custom one
-        /// that is used for the purposes of copying.
-        /// </summary>
-        /// <remarks>
-        /// In this test, the Dockerfiles contains:
-        ///     FROM arm32v7/os:tag
-        /// But we want to override that so we don't use that tag as the source of the copy but rather from a custom location.
-        /// So it's configured to be overriden to use contoso.azurecr.io/os:tag as the source tag. This ends up getting copied
-        /// to mcr.microsoft.com/custom-repo/contoso.azurecr.io/os:tag.
-        /// </remarks>
-        [Fact]
-        public async Task OverridenBaseTag()
-        {
-            const string CustomRegistry = "contoso.azurecr.io";
-
-            using TempFolderContext tempFolderContext = TestHelper.UseTempFolder();
-
-            Mock<ICopyImageService> copyImageServiceMock = new();
-
-            CopyBaseImagesCommand command = new(
-                TestHelper.CreateManifestJsonService(),
-                copyImageServiceMock.Object,
-                Mock.Of<ILogger<CopyBaseImagesCommand>>(),
-                Mock.Of<IGitService>());
-            command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
-            command.Options.RepoPrefix = "custom-repo/";
-            command.Options.CredentialsOptions.Credentials.Add("docker.io", new RegistryCredentials("user", "pass"));
-            command.Options.BaseImageOverrideOptions.RegexPattern = @".*\/(os:.*)";
-            command.Options.BaseImageOverrideOptions.Substitution = $"{CustomRegistry}/$1";
-
-            const string runtimeRelativeDir = "1.0/runtime/os";
-            Directory.CreateDirectory(Path.Combine(tempFolderContext.Path, runtimeRelativeDir));
-            string dockerfileRelativePath = Path.Combine(runtimeRelativeDir, "Dockerfile.custom");
-            File.WriteAllText(Path.Combine(tempFolderContext.Path, dockerfileRelativePath), "FROM repo:tag");
-
-            Manifest manifest = CreateManifest(
-                CreateRepo("runtime",
-                    CreateImage(
-                        CreatePlatform(
-                            CreateDockerfile("1.0/runtime/os/arm32v7", tempFolderContext, "arm32v7/os:tag"),
-                            new string[] { "os" }),
-                        CreatePlatform(
-                            CreateDockerfile("1.0/runtime/os2/arm32v7", tempFolderContext, "arm32v7/os2:tag"),
-                            new string[] { "os2" })))
-            );
-            manifest.Registry = DestinationRegistry;
-
-            File.WriteAllText(Path.Combine(tempFolderContext.Path, command.Options.Manifest), JsonConvert.SerializeObject(manifest));
-
-            command.LoadManifest();
-            await command.ExecuteAsync();
-
-            var expectedTagInfos = new(string SourceImage, string TargetTag, string Registry, string Username, string Password)[]
-            {
-                ( $"os:tag", $"{command.Options.RepoPrefix}{CustomRegistry}/os:tag", CustomRegistry, null, null),
-                ( "arm32v7/os2:tag", $"{command.Options.RepoPrefix}arm32v7/os2:tag", "docker.io", "user", "pass" ),
-            };
-
-            foreach (var expectedTagInfo in expectedTagInfos)
-            {
-                copyImageServiceMock.Verify(o =>
-                        o.ImportImageAsync(
-                            new string[] { expectedTagInfo.TargetTag },
-                            manifest.Registry,
-                            expectedTagInfo.SourceImage,
-                            false,
-                            expectedTagInfo.Registry,
-                            It.Is<ContainerRegistryImportSourceCredentials>(creds => (creds == null && expectedTagInfo.Username == null) || (creds.Username == expectedTagInfo.Username && creds.Password == expectedTagInfo.Password)),
-                            false));
-            }
-        }
     }
 }
diff --git a/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs b/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
index 868cb53dc..31a10863f 100644
--- a/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
+++ b/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
@@ -1521,98 +1521,6 @@ public async Task GetStaleImagesCommand_SharedDockerfile()
             }
         }
 
-        /// <summary>
-        /// Verifies that the check for a stale base image is done by targeting the tag override rather than the tag
-        /// defined in the Dockerfile.
-        /// </summary>
-        [Fact]
-        public async Task GetStaleImagesCommand_BaseImageTagOverride()
-        {
-            const string repo1 = "test-repo";
-            const string dockerfile1Path = "dockerfile1/Dockerfile";
-            const string dockerfile2Path = "dockerfile2/Dockerfile";
-            const string CustomRegistry = "my-registry.io";
-
-            SubscriptionInfo[] subscriptionInfos = new SubscriptionInfo[]
-            {
-                new SubscriptionInfo(
-                    CreateSubscription(repo1),
-                    CreateManifest(
-                        CreateRepo(
-                            repo1,
-                            CreateImage(
-                                CreatePlatform(dockerfile1Path, new string[] { "tag1" }),
-                                CreatePlatform(dockerfile2Path, new string[] { "tag2" })))),
-                    new ImageArtifactDetails
-                    {
-                        Repos =
-                        {
-                            new RepoData
-                            {
-                                Repo = repo1,
-                                Images =
-                                {
-                                    new ImageData
-                                    {
-                                        Platforms =
-                                        {
-                                            CreatePlatform(
-                                                dockerfile1Path,
-                                                baseImageDigest: $"{CustomRegistry}/base1@base1digest",
-                                                simpleTags: new List<string> { "tag1" }),
-                                            CreatePlatform(
-                                                dockerfile2Path,
-                                                baseImageDigest: $"{CustomRegistry}/base2@alternate-base2digest",
-                                                simpleTags: new List<string> { "tag2" })
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                )
-            };
-
-            Dictionary<GitFile, List<DockerfileInfo>> dockerfileInfos = new()
-            {
-                {
-                    subscriptionInfos[0].Subscription.Manifest,
-                    new List<DockerfileInfo>
-                    {
-                        new DockerfileInfo(dockerfile1Path, new FromImageInfo("base1", "base1digest")),
-                        new DockerfileInfo(dockerfile2Path, new FromImageInfo("base2", "base2digest"))
-                    }
-                }
-            };
-
-            using (TestContext context = new(subscriptionInfos, dockerfileInfos))
-            {
-                context.ImageDigests.Add($"{CustomRegistry}/base1", "alternate-base1digest");
-                context.ImageDigests.Add($"{CustomRegistry}/base2", "alternate-base2digest");
-
-                // Override the image tags to target a custom registry
-                context.Command.Options.BaseImageOverrideOptions.RegexPattern = "(base.*)";
-                context.Command.Options.BaseImageOverrideOptions.Substitution = "my-registry.io/$1";
-
-                await context.ExecuteCommandAsync();
-
-                // Only one of the images has a changed digest
-                // It should be comparing against the digest of the image from the override.
-                Dictionary<Subscription, IList<string>> expectedPathsBySubscription = new()
-                {
-                    {
-                        subscriptionInfos[0].Subscription,
-                        new List<string>
-                        {
-                            dockerfile1Path
-                        }
-                    }
-                };
-
-                context.Verify(expectedPathsBySubscription);
-            }
-        }
-
         /// <summary>
         /// Use this method to generate a unique repo owner name for the tests. This ensures that each test
         /// uses a different name and prevents collisions when running the tests in parallel. This is because
diff --git a/src/ImageBuilder/Commands/BaseImageOverrideOptions.cs b/src/ImageBuilder/Commands/BaseImageOverrideOptions.cs
deleted file mode 100644
index 3f7d07f0c..000000000
--- a/src/ImageBuilder/Commands/BaseImageOverrideOptions.cs
+++ /dev/null
@@ -1,69 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System;
-using System.Collections.Generic;
-using System.CommandLine;
-using System.CommandLine.Parsing;
-using System.Text.RegularExpressions;
-
-namespace Microsoft.DotNet.ImageBuilder.Commands;
-
-/// <summary>
-/// Defines options that allow the caller to configure whether and how base image tags defined in a Dockerfile
-/// are to be overriden.
-/// </summary>
-/// <remarks>
-/// This allows for images to be sourced from a different location than described in the Dockerfile.
-/// For example, the Build command implements this by pulling an image from the overriden location, retagging it with the
-/// tag used in the Dockerfile, and continue with the rest of the build.
-/// </remarks>
-public class BaseImageOverrideOptions
-{
-    public const string BaseOverrideRegexName = "base-override-regex";
-    public const string BaseOverrideSubName = "base-override-sub";
-
-    public string? RegexPattern { get; set; }
-
-    public string? Substitution { get; set; }
-
-    private static readonly Option<string?> RegexPatternOption = new($"--{BaseOverrideRegexName}")
-    {
-        Description = $"Regular expression identifying base image tags to apply string substitution to (requires {BaseOverrideSubName} to be set)"
-    };
-
-    private static readonly Option<string?> SubstitutionOption = new($"--{BaseOverrideSubName}")
-    {
-        Description = $"Regular expression substitution that overrides a matching base image tag (requires {BaseOverrideRegexName} to be set)"
-    };
-
-    public void Validate()
-    {
-        if ((RegexPattern is null) != (Substitution is null))
-        {
-            throw new InvalidOperationException(
-                $"The '{BaseOverrideRegexName}' and '{BaseOverrideSubName}' options must both be set.");
-        }
-    }
-
-    public string ApplyBaseImageOverride(string imageName)
-    {
-        if (RegexPattern is not null && Substitution is not null)
-        {
-            return Regex.Replace(imageName, RegexPattern, Substitution);
-        }
-
-        return imageName;
-    }
-
-    public IEnumerable<Option> GetCliOptions() =>
-        [RegexPatternOption, SubstitutionOption];
-
-    public IEnumerable<Argument> GetCliArguments() => [];
-
-    public void Bind(ParseResult result)
-    {
-        RegexPattern = result.GetValue(RegexPatternOption);
-        Substitution = result.GetValue(SubstitutionOption);
-    }
-}
diff --git a/src/ImageBuilder/Commands/BuildCommand.cs b/src/ImageBuilder/Commands/BuildCommand.cs
index 5ae85c30c..401515e98 100644
--- a/src/ImageBuilder/Commands/BuildCommand.cs
+++ b/src/ImageBuilder/Commands/BuildCommand.cs
@@ -69,7 +69,6 @@ public BuildCommand(
 
             _imageNameResolver = new Lazy<ImageNameResolverForBuild>(() =>
                 new ImageNameResolverForBuild(
-                    Options.BaseImageOverrideOptions,
                     Manifest,
                     Options.RepoPrefix,
                     Options.SourceRepoPrefix));
@@ -93,8 +92,6 @@ public BuildCommand(
 
         public override async Task ExecuteAsync()
         {
-            Options.BaseImageOverrideOptions.Validate();
-
             if (Options.ImageInfoOutputPath != null)
             {
                 _imageArtifactDetails = new ImageArtifactDetails();
diff --git a/src/ImageBuilder/Commands/BuildOptions.cs b/src/ImageBuilder/Commands/BuildOptions.cs
index bac9c3b48..7eaf64321 100644
--- a/src/ImageBuilder/Commands/BuildOptions.cs
+++ b/src/ImageBuilder/Commands/BuildOptions.cs
@@ -14,7 +14,6 @@ namespace Microsoft.DotNet.ImageBuilder.Commands
     public class BuildOptions : ManifestOptions, IFilterableOptions
     {
         public ManifestFilterOptions FilterOptions { get; set; } = new();
-        public BaseImageOverrideOptions BaseImageOverrideOptions { get; set; } = new();
         public RegistryCredentialsOptions CredentialsOptions { get; set; } = new();
         public ServiceConnection? StorageServiceConnection { get; set; }
 
@@ -110,7 +109,6 @@ public override IEnumerable<Option> GetCliOptions() =>
         [
             ..base.GetCliOptions(),
             ..FilterOptions.GetCliOptions(),
-            ..BaseImageOverrideOptions.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
             StorageServiceConnectionOption,
             PushOption,
@@ -132,7 +130,6 @@ public override IEnumerable<Argument> GetCliArguments() =>
         [
             ..base.GetCliArguments(),
             ..FilterOptions.GetCliArguments(),
-            ..BaseImageOverrideOptions.GetCliArguments(),
             ..CredentialsOptions.GetCliArguments(),
         ];
 
@@ -140,7 +137,6 @@ public override void Bind(ParseResult result)
         {
             base.Bind(result);
             FilterOptions.Bind(result);
-            BaseImageOverrideOptions.Bind(result);
             CredentialsOptions.Bind(result);
             StorageServiceConnection = result.GetValue(StorageServiceConnectionOption);
             IsPushEnabled = result.GetValue(PushOption);
diff --git a/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs b/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs
index ae2310ced..4c57ee979 100644
--- a/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs
+++ b/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs
@@ -42,8 +42,6 @@ public override async Task ExecuteAsync()
         {
             _logger.LogInformation("COPYING IMAGES");
 
-            Options.BaseImageOverrideOptions.Validate();
-
             IEnumerable<ManifestInfo> manifests;
             string fullRegistryName;
             if (Options.SubscriptionOptions.SubscriptionsPath is null)
@@ -74,9 +72,8 @@ public override async Task ExecuteAsync()
             await Task.WhenAll(copyImageTasks);
         }
 
-        private IEnumerable<string> GetFromImages(ManifestInfo manifest) =>
+        private static IEnumerable<string> GetFromImages(ManifestInfo manifest) =>
             manifest.GetExternalFromImages()
-                .Select(fromImage => Options.BaseImageOverrideOptions.ApplyBaseImageOverride(fromImage))
                 .Where(fromImage => !fromImage.StartsWith(manifest.Model.Registry));
 
         private Task CopyImageAsync(string fromImage, string destinationRegistryName)
diff --git a/src/ImageBuilder/Commands/CopyBaseImagesOptions.cs b/src/ImageBuilder/Commands/CopyBaseImagesOptions.cs
index a060acda4..22f2157e6 100644
--- a/src/ImageBuilder/Commands/CopyBaseImagesOptions.cs
+++ b/src/ImageBuilder/Commands/CopyBaseImagesOptions.cs
@@ -14,14 +14,11 @@ public class CopyBaseImagesOptions : CopyImagesOptions
 
         public SubscriptionOptions SubscriptionOptions { get; set; } = new();
 
-        public BaseImageOverrideOptions BaseImageOverrideOptions { get; set; } = new();
-
         public override IEnumerable<Option> GetCliOptions() =>
         [
             ..base.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
             ..SubscriptionOptions.GetCliOptions(),
-            ..BaseImageOverrideOptions.GetCliOptions(),
         ];
 
         public override IEnumerable<Argument> GetCliArguments() =>
@@ -29,7 +26,6 @@ public override IEnumerable<Argument> GetCliArguments() =>
             ..base.GetCliArguments(),
             ..CredentialsOptions.GetCliArguments(),
             ..SubscriptionOptions.GetCliArguments(),
-            ..BaseImageOverrideOptions.GetCliArguments(),
         ];
 
         public override void Bind(ParseResult result)
@@ -37,7 +33,6 @@ public override void Bind(ParseResult result)
             base.Bind(result);
             CredentialsOptions.Bind(result);
             SubscriptionOptions.Bind(result);
-            BaseImageOverrideOptions.Bind(result);
         }
     }
 }
diff --git a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
index 8334e2952..cff3d5912 100644
--- a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
+++ b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
@@ -43,7 +43,7 @@ public GenerateBuildMatrixCommand(IManifestJsonService manifestJsonService, IIma
                 new Lazy<IManifestService>(
                     () => manifestServiceFactory.Create(Options.CredentialsOptions)));
             _imageNameResolver = new Lazy<ImageNameResolverForMatrix>(() =>
-                new ImageNameResolverForMatrix(Options.BaseImageOverrideOptions, Manifest, Options.RepoPrefix, Options.SourceRepoPrefix));
+                new ImageNameResolverForMatrix(Manifest, Options.RepoPrefix, Options.SourceRepoPrefix));
         }
 
         protected override string Description => "Generate the Azure DevOps build matrix for building the images";
diff --git a/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs b/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
index 821a2e782..88939d580 100644
--- a/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
+++ b/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
@@ -19,7 +19,6 @@ public class GenerateBuildMatrixOptions : ManifestOptions, IFilterableOptions
         public int ProductVersionComponents { get; set; }
         public string? ImageInfoPath { get; set; }
         public IEnumerable<string> DistinctMatrixOsVersions { get; set; } = Enumerable.Empty<string>();
-        public BaseImageOverrideOptions BaseImageOverrideOptions { get; set; } = new();
         public string? SourceRepoPrefix { get; set; }
         public string? SourceRepoUrl { get; set; }
         public RegistryCredentialsOptions CredentialsOptions { get; set; } = new();
@@ -77,7 +76,6 @@ public override IEnumerable<Option> GetCliOptions() =>
         [
             ..base.GetCliOptions(),
             ..FilterOptions.GetCliOptions(),
-            ..BaseImageOverrideOptions.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
             MatrixTypeOption,
             CustomBuildLegGroupsOption,
@@ -93,7 +91,6 @@ public override IEnumerable<Argument> GetCliArguments() =>
         [
             ..base.GetCliArguments(),
             ..FilterOptions.GetCliArguments(),
-            ..BaseImageOverrideOptions.GetCliArguments(),
             ..CredentialsOptions.GetCliArguments(),
         ];
 
@@ -101,7 +98,6 @@ public override void Bind(ParseResult result)
         {
             base.Bind(result);
             FilterOptions.Bind(result);
-            BaseImageOverrideOptions.Bind(result);
             CredentialsOptions.Bind(result);
             MatrixType = result.GetValue(MatrixTypeOption);
             CustomBuildLegGroups = result.GetValue(CustomBuildLegGroupsOption) ?? [];
diff --git a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
index 67a88d629..8fb95cf2d 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
@@ -92,7 +92,6 @@ private async Task<IEnumerable<string>> GetPathsToRebuildAsync(Models.Subscripti
             ImageArtifactDetails imageArtifactDetails = await GetImageInfoForSubscriptionAsync(subscription, manifest);
 
             ImageNameResolverForMatrix imageNameResolver = new(
-                Options.BaseImageOverrideOptions,
                 manifest,
                 repoPrefix: null,
                 sourceRepoPrefix: Options.SourceRepoPrefix);
diff --git a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
index ede654504..65c061c45 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
@@ -21,8 +21,6 @@ public class GetStaleImagesOptions : Options, IFilterableOptions, IGitOptionsHos
 
         public RegistryCredentialsOptions CredentialsOptions { get; set; } = new RegistryCredentialsOptions();
 
-        public BaseImageOverrideOptions BaseImageOverrideOptions { get; set; } = new();
-
         public string? RegistryOverride { get; set; }
 
         public string? SourceRepoPrefix { get; set; }
@@ -54,7 +52,6 @@ public override IEnumerable<Option> GetCliOptions() =>
             ..FilterOptions.GetCliOptions(),
             ..GitBuilder.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
-            ..BaseImageOverrideOptions.GetCliOptions(),
             RegistryOverrideOption,
             SourceRepoPrefixOption,
         ];
@@ -82,7 +79,6 @@ public override void Bind(ParseResult result)
             FilterOptions.Bind(result);
             GitBuilder.Bind(result, GitOptions);
             CredentialsOptions.Bind(result);
-            BaseImageOverrideOptions.Bind(result);
             RegistryOverride = result.GetValue(RegistryOverrideOption);
             SourceRepoPrefix = result.GetValue(SourceRepoPrefixOption);
             VariableName = result.GetValue(VariableNameArgument) ?? string.Empty;
diff --git a/src/ImageBuilder/ImageNameResolver.cs b/src/ImageBuilder/ImageNameResolver.cs
index 3fd3a29dd..b57d1f522 100644
--- a/src/ImageBuilder/ImageNameResolver.cs
+++ b/src/ImageBuilder/ImageNameResolver.cs
@@ -1,20 +1,17 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using Microsoft.DotNet.ImageBuilder.Commands;
 using Microsoft.DotNet.ImageBuilder.ViewModel;
 
 namespace Microsoft.DotNet.ImageBuilder;
 
 public abstract class ImageNameResolver
 {
-    private readonly BaseImageOverrideOptions _baseImageOverrideOptions;
     private readonly string? _repoPrefix;
     private readonly string? _sourceRepoPrefix;
 
-    public ImageNameResolver(BaseImageOverrideOptions baseImageOverrideOptions, ManifestInfo manifest, string? repoPrefix, string? sourceRepoPrefix)
+    public ImageNameResolver(ManifestInfo manifest, string? repoPrefix, string? sourceRepoPrefix)
     {
-        _baseImageOverrideOptions = baseImageOverrideOptions;
         Manifest = manifest;
         _repoPrefix = repoPrefix;
         _sourceRepoPrefix = sourceRepoPrefix;
@@ -48,20 +45,15 @@ public string GetFromImagePullTag(string fromImage) =>
     /// <param name="fromImage">Tag of the FROM image.</param>
     /// <remarks>
     /// This compares the registry of the image tag to determine if it's internally owned. If so, it returns
-    /// the tag using the raw (non-overriden) registry from the manifest (e.g. mcr.microsoft.com). Otherwise,
-    /// it returns the image tag unchanged.
+    /// the tag using the raw registry from the manifest (e.g. mcr.microsoft.com). Otherwise, it returns the
+    /// image tag unchanged.
     /// </remarks>
     public string GetFromImagePublicTag(string fromImage)
     {
         string trimmed = TrimInternallyOwnedRegistryAndRepoPrefix(fromImage);
-        if (trimmed == fromImage)
-        {
-            return _baseImageOverrideOptions.ApplyBaseImageOverride(trimmed);
-        }
-        else
-        {
-            return $"{Manifest.Model.Registry}/{trimmed}";
-        }
+        return trimmed == fromImage
+            ? trimmed
+            : $"{Manifest.Model.Registry}/{trimmed}";
     }
 
     public abstract string GetFinalStageImageNameForDigestQuery(PlatformInfo platform);
@@ -76,8 +68,6 @@ public string GetFromImagePublicTag(string fromImage)
     /// </remarks>
     private string GetFromImageTag(string fromImage, string? registry)
     {
-        fromImage = _baseImageOverrideOptions.ApplyBaseImageOverride(fromImage);
-
         if ((registry is not null && DockerHelper.IsInRegistry(fromImage, registry)) ||
             DockerHelper.IsInRegistry(fromImage, Manifest.Model.Registry)
             || _sourceRepoPrefix is null)
@@ -102,11 +92,10 @@ private bool IsInInternallyOwnedRegistry(string imageTag) =>
 public class ImageNameResolverForBuild : ImageNameResolver
 {
     public ImageNameResolverForBuild(
-        BaseImageOverrideOptions baseImageOverrideOptions,
         ManifestInfo manifest,
         string? repoPrefix,
         string? sourceRepoPrefix)
-        : base(baseImageOverrideOptions, manifest, repoPrefix, sourceRepoPrefix)
+        : base(manifest, repoPrefix, sourceRepoPrefix)
     {
     }
 
@@ -133,11 +122,10 @@ public override string GetFinalStageImageNameForDigestQuery(PlatformInfo platfor
 public class ImageNameResolverForMatrix : ImageNameResolver
 {
     public ImageNameResolverForMatrix(
-        BaseImageOverrideOptions baseImageOverrideOptions,
         ManifestInfo manifest,
         string? repoPrefix,
         string? sourceRepoPrefix)
-        : base(baseImageOverrideOptions, manifest, repoPrefix, sourceRepoPrefix)
+        : base(manifest, repoPrefix, sourceRepoPrefix)
     {
     }
 

From 2e00f71066f0317d7203bbc22749591287cc5bd8 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 18:48:06 -0700
Subject: [PATCH 07/10] Drive source-mirror selection from PublishConfiguration

Replace the conflated --registry-override/--source-repo-prefix pair
(and the regex-based --base-override-regex/--base-override-sub form
removed in earlier commits) with a single MirrorRegistry field on
PublishConfiguration. The pipeline templates choose the appropriate
mirror (internal staging vs. public mirror) at template-compile time
based on the AzDO team project, so the C# app sees one registry to
redirect external base-image lookups to without any runtime
conditionals or per-command CLI plumbing.

Key change in ImageNameResolver: external FROM tags are now rewritten
using the mirror server (not Manifest.Registry), so source redirection
no longer leaks into the destination tag of built images. This fixes
the previous bug where setting --registry-override on public builds
would also rewrite the push destination.

Surface changes:
- New RegistryEndpoint.RepoPrefix field; new PublishConfiguration.MirrorRegistry.
- Removed PublishConfiguration.InternalMirrorRegistry/PublicMirrorRegistry
  (the YAML side keeps them for project-specific dispatch; the C# binder
  ignores unknown JSON keys).
- Removed --source-repo-prefix CLI option from build/buildMatrix/getStaleImages.
- Removed --registry-override CLI option from getStaleImages (was added
  earlier in this branch and is no longer needed for stale detection).
- publish-config-prod.yml + publish-config-nonprod.yml: emit MirrorRegistry
  conditionally based on ${{ variables['System.TeamProject'] }}.
- init-common.yml: drop public-build override branch (now handled in publish
  config); internal branch keeps --registry-override only.
- check-base-image-updates.yml: drop --registry-override/--source-repo-prefix
  from the getStaleImages invocation.
- BuildCommand, GenerateBuildMatrixCommand, GetStaleImagesCommand take
  IOptions<PublishConfiguration> via DI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../stages/dotnet/publish-config-nonprod.yml  | 12 +++++++
 .../stages/dotnet/publish-config-prod.yml     | 12 +++++++
 .../templates/steps/init-common.yml           | 17 +++++-----
 .../jobs/check-base-image-updates.yml         |  2 --
 src/ImageBuilder.Tests/BuildCommandTests.cs   | 28 +++++++++++++----
 .../GenerateBuildMatrixCommandTests.cs        | 10 +++---
 .../GetStaleImagesCommandTests.cs             |  8 ++++-
 .../PublishConfigurationBindingTests.cs       | 31 +++++++------------
 src/ImageBuilder/Commands/BuildCommand.cs     |  9 ++++--
 src/ImageBuilder/Commands/BuildOptions.cs     |  8 -----
 .../Commands/GenerateBuildMatrixCommand.cs    |  8 +++--
 .../Commands/GenerateBuildMatrixOptions.cs    |  8 -----
 .../Commands/GetStaleImagesCommand.cs         | 13 +++++---
 .../Commands/GetStaleImagesOptions.cs         | 21 -------------
 .../Configuration/PublishConfiguration.cs     | 16 ++++------
 .../Configuration/RegistryEndpoint.cs         |  7 +++++
 src/ImageBuilder/ImageNameResolver.cs         | 24 ++++++++------
 17 files changed, 127 insertions(+), 107 deletions(-)

diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
index 0ce87d4d2..8eb9d65a0 100644
--- a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
+++ b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
@@ -63,6 +63,18 @@ stages:
         server: $(public-mirror.server)
         repoPrefix: $(publicMirrorRepoPrefix)
 
+      # Source mirror selected at template-compile time based on the AzDO team
+      # project so the C# app sees a single registry to redirect external
+      # base-image lookups to without any runtime conditionals.
+      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+        MirrorRegistry:
+          server: $(acr-staging-test.server)
+          repoPrefix: $(internalMirrorRepoPrefix)
+      ${{ else }}:
+        MirrorRegistry:
+          server: $(public-mirror.server)
+          repoPrefix: $(publicMirrorRepoPrefix)
+
       BuildRegistry:
         server: $(acr-staging-test.server)
         repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/"
diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
index f90e5e806..51bc320b9 100644
--- a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
+++ b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
@@ -63,6 +63,18 @@ stages:
         server: $(public-mirror.server)
         repoPrefix: $(publicMirrorRepoPrefix)
 
+      # Source mirror selected at template-compile time based on the AzDO team
+      # project so the C# app sees a single registry to redirect external
+      # base-image lookups to without any runtime conditionals.
+      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+        MirrorRegistry:
+          server: $(acr-staging.server)
+          repoPrefix: $(internalMirrorRepoPrefix)
+      ${{ else }}:
+        MirrorRegistry:
+          server: $(public-mirror.server)
+          repoPrefix: $(publicMirrorRepoPrefix)
+
       BuildRegistry:
         server: $(acr-staging.server)
         repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/"
diff --git a/eng/docker-tools/templates/steps/init-common.yml b/eng/docker-tools/templates/steps/init-common.yml
index 03c5babba..99acb8361 100644
--- a/eng/docker-tools/templates/steps/init-common.yml
+++ b/eng/docker-tools/templates/steps/init-common.yml
@@ -86,20 +86,17 @@ steps:
   condition: and(succeeded(), ${{ parameters.condition }})
 
 # Build Registry Configuration
-# Extends commonMatrixAndBuildOptions with registry-specific settings:
-# - Internal builds: Use internal mirror registry prefix and build registry
-#   server to pull/push from private ACR instead of public MCR
-# - Public builds: Override non-MCR base images to use public mirror, reducing
-#   external dependencies and improving build reliability
+# Extends commonMatrixAndBuildOptions with registry-specific settings for
+# internal builds:
+# - Internal builds push outputs to the build registry instead of MCR.
+# - Source mirror selection (for pulling external base images) happens
+#   automatically inside ImageBuilder based on PublishConfiguration loaded
+#   from appsettings.json.
 - ${{ if parameters.publishConfig }}:
   - powershell: |
       $commonMatrixAndBuildOptions = "$(commonMatrixAndBuildOptions)"
       if ("$(System.TeamProject)" -eq "internal" -and "$(Build.Reason)" -ne "PullRequest") {
-        $commonMatrixAndBuildOptions = "$commonMatrixAndBuildOptions --source-repo-prefix ${{ parameters.publishConfig.InternalMirrorRegistry.repoPrefix }} --registry-override ${{ parameters.publishConfig.BuildRegistry.server }}"
-      }
-
-      if ("$(System.TeamProject)" -eq "public" -and "$(public-mirror.server)" -ne "") {
-        $commonMatrixAndBuildOptions = "$commonMatrixAndBuildOptions --source-repo-prefix '' --registry-override '$(public-mirror.server)'"
+        $commonMatrixAndBuildOptions = "$commonMatrixAndBuildOptions --registry-override ${{ parameters.publishConfig.BuildRegistry.server }}"
       }
 
       Write-Host "Setting commonMatrixAndBuildOptions to '$commonMatrixAndBuildOptions'"
diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index cfa99473e..e027c6230 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -61,8 +61,6 @@ jobs:
       $(dotnetDockerBot.email)
       --gh-token $(BotAccount-dotnet-docker-bot-PAT)
       staleImagePaths
-      --registry-override '${{ parameters.publishConfig.InternalMirrorRegistry.server }}'
-      --source-repo-prefix '${{ parameters.publishConfig.InternalMirrorRegistry.repoPrefix }}'
       --subscriptions-path ${{ parameters.subscriptionsPath }}
       --os-type '*'
       --architecture '*'
diff --git a/src/ImageBuilder.Tests/BuildCommandTests.cs b/src/ImageBuilder.Tests/BuildCommandTests.cs
index 37617f1e2..8098666ec 100644
--- a/src/ImageBuilder.Tests/BuildCommandTests.cs
+++ b/src/ImageBuilder.Tests/BuildCommandTests.cs
@@ -3100,13 +3100,20 @@ public async Task BuildCommand_MirroredImages(bool hasCachedImage, string srcBas
                 gitService: gitServiceMock.Object,
                 copyImageService: copyImageServiceMock.Object,
                 manifestServiceFactory: CreateManifestServiceFactoryMock(manifestServiceMock).Object,
-                imageCacheService: new ImageCacheService(Mock.Of<ILogger<ImageCacheService>>(), gitServiceMock.Object));
+                imageCacheService: new ImageCacheService(Mock.Of<ILogger<ImageCacheService>>(), gitServiceMock.Object),
+                publishConfiguration: new PublishConfiguration
+                {
+                    MirrorRegistry = new RegistryEndpoint
+                    {
+                        Server = RegistryOverride,
+                        RepoPrefix = SourceRepoPrefix,
+                    },
+                });
             command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
             command.Options.ImageInfoOutputPath = Path.Combine(tempFolderContext.Path, "image-info.json");
             command.Options.ImageInfoSourcePath = Path.Combine(tempFolderContext.Path, "src-image-info.json");
             command.Options.IsPushEnabled = true;
             command.Options.SourceRepoUrl = "https://github.com/dotnet/test";
-            command.Options.SourceRepoPrefix = SourceRepoPrefix;
             command.Options.RegistryOverride = RegistryOverride;
             command.Options.RepoPrefix = RepoPrefix;
 
@@ -3443,13 +3450,20 @@ public async Task BuildCommand_MirroredImages_External(string baseImageRegistry,
                 gitService: gitServiceMock.Object,
                 copyImageService: Mock.Of<ICopyImageService>(),
                 manifestServiceFactory: CreateManifestServiceFactoryMock(manifestServiceMock).Object,
-                imageCacheService: new ImageCacheService(Mock.Of<ILogger<ImageCacheService>>(), gitServiceMock.Object));
+                imageCacheService: new ImageCacheService(Mock.Of<ILogger<ImageCacheService>>(), gitServiceMock.Object),
+                publishConfiguration: new PublishConfiguration
+                {
+                    MirrorRegistry = new RegistryEndpoint
+                    {
+                        Server = RegistryOverride,
+                        RepoPrefix = SourceRepoPrefix,
+                    },
+                });
             command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
             command.Options.ImageInfoOutputPath = Path.Combine(tempFolderContext.Path, "image-info.json");
             command.Options.IsPushEnabled = true;
             command.Options.SourceRepoUrl = "https://github.com/dotnet/test";
             command.Options.RegistryOverride = RegistryOverride;
-            command.Options.SourceRepoPrefix = SourceRepoPrefix;
 
             const string ProductVersion = "1.0.1";
 
@@ -3512,7 +3526,8 @@ private static BuildCommand CreateBuildCommand(
             IManifestServiceFactory? manifestServiceFactory = null,
             IRegistryCredentialsProvider? registryCredentialsProvider = null,
             IAzureTokenCredentialProvider? azureTokenCredentialProvider = null,
-            IImageCacheService? imageCacheService = null)
+            IImageCacheService? imageCacheService = null,
+            PublishConfiguration? publishConfiguration = null)
         {
             BuildCommand command = new(
                 manifestJsonService ?? TestHelper.CreateManifestJsonService(),
@@ -3524,7 +3539,8 @@ private static BuildCommand CreateBuildCommand(
                 manifestServiceFactory ?? Mock.Of<IManifestServiceFactory>(),
                 registryCredentialsProvider ?? Mock.Of<IRegistryCredentialsProvider>(),
                 azureTokenCredentialProvider ?? Mock.Of<IAzureTokenCredentialProvider>(),
-                imageCacheService ?? Mock.Of<IImageCacheService>());
+                imageCacheService ?? Mock.Of<IImageCacheService>(),
+                Microsoft.Extensions.Options.Options.Create(publishConfiguration ?? new PublishConfiguration()));
 
             return command;
         }
diff --git a/src/ImageBuilder.Tests/GenerateBuildMatrixCommandTests.cs b/src/ImageBuilder.Tests/GenerateBuildMatrixCommandTests.cs
index d017fd0e1..8ca7cb889 100644
--- a/src/ImageBuilder.Tests/GenerateBuildMatrixCommandTests.cs
+++ b/src/ImageBuilder.Tests/GenerateBuildMatrixCommandTests.cs
@@ -10,10 +10,12 @@
 using System.Net.Http;
 using System.Threading.Tasks;
 using Microsoft.DotNet.ImageBuilder.Commands;
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Models.Image;
 using Microsoft.DotNet.ImageBuilder.Models.Manifest;
 using Microsoft.DotNet.ImageBuilder.Tests.Helpers;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Moq;
 using Newtonsoft.Json;
 using Xunit;
@@ -257,7 +259,7 @@ public async Task FilterOutCachedImages(
             SetCacheResult(imageCacheServiceMock, dockerfileRuntime2Path, ImageCacheState.NotCached);
             SetCacheResult(imageCacheServiceMock, dockerfileSdk2Path, ImageCacheState.NotCached);
 
-            GenerateBuildMatrixCommand command = new(TestHelper.CreateManifestJsonService(), imageCacheServiceMock.Object, Mock.Of<IManifestServiceFactory>(), Mock.Of<ILogger<GenerateBuildMatrixCommand>>());
+            GenerateBuildMatrixCommand command = new(TestHelper.CreateManifestJsonService(), imageCacheServiceMock.Object, Mock.Of<IManifestServiceFactory>(), Mock.Of<ILogger<GenerateBuildMatrixCommand>>(), Microsoft.Extensions.Options.Options.Create(new PublishConfiguration()));
             command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
             command.Options.MatrixType = MatrixType.PlatformDependencyGraph;
             command.Options.ImageInfoPath = Path.Combine(tempFolderContext.Path, "imageinfo.json");
@@ -1677,14 +1679,14 @@ private static GenerateBuildMatrixCommand SetupTrimCacheTest(
                 TestHelper.CreateManifestJsonService(),
                 imageCacheService,
                 manifestServiceFactoryMock.Object,
-                Mock.Of<ILogger<GenerateBuildMatrixCommand>>());
+                Mock.Of<ILogger<GenerateBuildMatrixCommand>>(),
+                Microsoft.Extensions.Options.Options.Create(new PublishConfiguration()));
 
             command.Options.Manifest = Path.Combine(tempFolderContext.Path, "manifest.json");
             command.Options.MatrixType = MatrixType.PlatformDependencyGraph;
             command.Options.ImageInfoPath = Path.Combine(tempFolderContext.Path, "imageinfo.json");
             command.Options.TrimCachedImages = true;
             command.Options.SourceRepoUrl = sourceRepoUrl;
-            command.Options.SourceRepoPrefix = "mirror/";
 
             File.WriteAllText(
                 Path.Combine(tempFolderContext.Path, command.Options.Manifest),
@@ -1720,6 +1722,6 @@ private static GenerateBuildMatrixCommand SetupTrimCacheTest(
         }
 
         private static GenerateBuildMatrixCommand CreateCommand() =>
-            new(TestHelper.CreateManifestJsonService(), Mock.Of<IImageCacheService>(), Mock.Of<IManifestServiceFactory>(), Mock.Of<ILogger<GenerateBuildMatrixCommand>>());
+            new(TestHelper.CreateManifestJsonService(), Mock.Of<IImageCacheService>(), Mock.Of<IManifestServiceFactory>(), Mock.Of<ILogger<GenerateBuildMatrixCommand>>(), Microsoft.Extensions.Options.Options.Create(new PublishConfiguration()));
     }
 }
diff --git a/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs b/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
index 31a10863f..b086f230c 100644
--- a/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
+++ b/src/ImageBuilder.Tests/GetStaleImagesCommandTests.cs
@@ -13,6 +13,7 @@
 using System.Threading.Tasks;
 using LibGit2Sharp;
 using Microsoft.DotNet.ImageBuilder.Commands;
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Models.Image;
 using Microsoft.DotNet.ImageBuilder.Models.Manifest;
 using Microsoft.DotNet.ImageBuilder.Models.Subscription;
@@ -1676,7 +1677,12 @@ private string SerializeJsonObjectToTempFile(object jsonObject)
             private GetStaleImagesCommand CreateCommand()
             {
                 GetStaleImagesCommand command = new(
-                    this.ManifestServiceFactoryMock.Object, TestHelper.CreateManifestJsonService(), this.loggerServiceMock.Object, this.octokitClientFactory, this.gitService);
+                    this.ManifestServiceFactoryMock.Object,
+                    TestHelper.CreateManifestJsonService(),
+                    this.loggerServiceMock.Object,
+                    this.octokitClientFactory,
+                    this.gitService,
+                    Microsoft.Extensions.Options.Options.Create(new PublishConfiguration()));
                 command.Options.SubscriptionOptions.SubscriptionsPath = this.subscriptionsPath;
                 command.Options.VariableName = VariableName;
                 command.Options.FilterOptions.Platform.OsType = this.osType;
diff --git a/src/ImageBuilder.Tests/PublishConfigurationBindingTests.cs b/src/ImageBuilder.Tests/PublishConfigurationBindingTests.cs
index 0220524e3..ffd47703a 100644
--- a/src/ImageBuilder.Tests/PublishConfigurationBindingTests.cs
+++ b/src/ImageBuilder.Tests/PublishConfigurationBindingTests.cs
@@ -32,11 +32,9 @@ public class PublishConfigurationBindingTests
             "PublishRegistry": {
               "Server": "publish.azurecr.io"
             },
-            "InternalMirrorRegistry": {
-              "Server": "internal-mirror.azurecr.io"
-            },
-            "PublicMirrorRegistry": {
-              "Server": "public-mirror.azurecr.io"
+            "MirrorRegistry": {
+              "Server": "mirror.azurecr.io",
+              "RepoPrefix": "mirror/"
             },
             "RegistryAuthentication": [
               {
@@ -77,11 +75,9 @@ public void AddPublishConfiguration_BindsAllRegistryEndpoints()
         config.PublishRegistry.ShouldNotBeNull();
         config.PublishRegistry.Server.ShouldBe("publish.azurecr.io");
 
-        config.InternalMirrorRegistry.ShouldNotBeNull();
-        config.InternalMirrorRegistry.Server.ShouldBe("internal-mirror.azurecr.io");
-
-        config.PublicMirrorRegistry.ShouldNotBeNull();
-        config.PublicMirrorRegistry.Server.ShouldBe("public-mirror.azurecr.io");
+        config.MirrorRegistry.ShouldNotBeNull();
+        config.MirrorRegistry.Server.ShouldBe("mirror.azurecr.io");
+        config.MirrorRegistry.RepoPrefix.ShouldBe("mirror/");
     }
 
     [Fact]
@@ -117,11 +113,10 @@ public void AddPublishConfiguration_GetKnownRegistries_ReturnsAllEndpoints()
         PublishConfiguration config = BuildConfiguration(FullConfigJson);
         var knownRegistries = config.GetKnownRegistries().ToList();
 
-        knownRegistries.Count.ShouldBe(4);
+        knownRegistries.Count.ShouldBe(3);
         knownRegistries.ShouldContain(r => r.Server == "build.azurecr.io");
         knownRegistries.ShouldContain(r => r.Server == "publish.azurecr.io");
-        knownRegistries.ShouldContain(r => r.Server == "internal-mirror.azurecr.io");
-        knownRegistries.ShouldContain(r => r.Server == "public-mirror.azurecr.io");
+        knownRegistries.ShouldContain(r => r.Server == "mirror.azurecr.io");
     }
 
     [Fact]
@@ -174,8 +169,7 @@ public void AddPublishConfiguration_PartialConfig_HandlesNulls()
         config.BuildRegistry.ShouldNotBeNull();
         config.BuildRegistry.Server.ShouldBe("build.azurecr.io");
         config.PublishRegistry.ShouldBeNull();
-        config.InternalMirrorRegistry.ShouldBeNull();
-        config.PublicMirrorRegistry.ShouldBeNull();
+        config.MirrorRegistry.ShouldBeNull();
         config.RegistryAuthentication.ShouldBeEmpty();
     }
 
@@ -192,8 +186,7 @@ public void AddPublishConfiguration_EmptyConfig_DefaultsToEmpty()
 
         config.BuildRegistry.ShouldBeNull();
         config.PublishRegistry.ShouldBeNull();
-        config.InternalMirrorRegistry.ShouldBeNull();
-        config.PublicMirrorRegistry.ShouldBeNull();
+        config.MirrorRegistry.ShouldBeNull();
         config.RegistryAuthentication.ShouldBeEmpty();
     }
 
@@ -206,7 +199,7 @@ public void AddPublishConfiguration_SharedAuthentication_MultipleRegistriesCanUs
                 "BuildRegistry": {
                   "Server": "shared.azurecr.io"
                 },
-                "InternalMirrorRegistry": {
+                "MirrorRegistry": {
                   "Server": "shared.azurecr.io"
                 },
                 "RegistryAuthentication": [
@@ -225,7 +218,7 @@ public void AddPublishConfiguration_SharedAuthentication_MultipleRegistriesCanUs
         PublishConfiguration config = BuildConfiguration(sharedAuthJson);
 
         var buildAuth = config.FindRegistryAuthentication(config.BuildRegistry!.Server!);
-        var mirrorAuth = config.FindRegistryAuthentication(config.InternalMirrorRegistry!.Server!);
+        var mirrorAuth = config.FindRegistryAuthentication(config.MirrorRegistry!.Server!);
 
         buildAuth.ShouldNotBeNull();
         mirrorAuth.ShouldNotBeNull();
diff --git a/src/ImageBuilder/Commands/BuildCommand.cs b/src/ImageBuilder/Commands/BuildCommand.cs
index 401515e98..666c5da9a 100644
--- a/src/ImageBuilder/Commands/BuildCommand.cs
+++ b/src/ImageBuilder/Commands/BuildCommand.cs
@@ -10,8 +10,10 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Models.Image;
 using Microsoft.DotNet.ImageBuilder.ViewModel;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.DotNet.ImageBuilder.Commands
 {
@@ -50,7 +52,8 @@ public BuildCommand(
             IManifestServiceFactory manifestServiceFactory,
             IRegistryCredentialsProvider registryCredentialsProvider,
             IAzureTokenCredentialProvider tokenCredentialProvider,
-            IImageCacheService imageCacheService) : base(manifestJsonService)
+            IImageCacheService imageCacheService,
+            IOptions<PublishConfiguration> publishConfigOptions) : base(manifestJsonService)
         {
             _dockerService = new DockerServiceCache(dockerService ?? throw new ArgumentNullException(nameof(dockerService)));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
@@ -60,6 +63,8 @@ public BuildCommand(
             _registryCredentialsProvider = registryCredentialsProvider ?? throw new ArgumentNullException(nameof(registryCredentialsProvider));
             _tokenCredentialProvider = tokenCredentialProvider ?? throw new ArgumentNullException(nameof(tokenCredentialProvider));
             _imageCacheService = imageCacheService ?? throw new ArgumentNullException(nameof(imageCacheService));
+            ArgumentNullException.ThrowIfNull(publishConfigOptions);
+            PublishConfiguration publishConfig = publishConfigOptions.Value;
 
             // Lazily create services which need access to options
             ArgumentNullException.ThrowIfNull(manifestServiceFactory);
@@ -71,7 +76,7 @@ public BuildCommand(
                 new ImageNameResolverForBuild(
                     Manifest,
                     Options.RepoPrefix,
-                    Options.SourceRepoPrefix));
+                    publishConfig.MirrorRegistry));
 
             _storageAccountToken = new Lazy<string?>(() =>
             {
diff --git a/src/ImageBuilder/Commands/BuildOptions.cs b/src/ImageBuilder/Commands/BuildOptions.cs
index 7eaf64321..9ab17abd1 100644
--- a/src/ImageBuilder/Commands/BuildOptions.cs
+++ b/src/ImageBuilder/Commands/BuildOptions.cs
@@ -24,7 +24,6 @@ public class BuildOptions : ManifestOptions, IFilterableOptions
         public string? ImageInfoSourcePath { get; set; }
         public string? SourceRepoUrl { get; set; }
         public bool NoCache { get; set; }
-        public string? SourceRepoPrefix { get; set; }
         public IDictionary<string, string> BuildArgs { get; set; } = new Dictionary<string, string>();
         public string[] DockerBuildOptions { get; set; } = [];
         public bool SkipPlatformCheck { get; set; }
@@ -73,11 +72,6 @@ public class BuildOptions : ManifestOptions, IFilterableOptions
             Description = "Disables build cache feature"
         };
 
-        private static readonly Option<string?> SourceRepoPrefixOption = new("--source-repo-prefix")
-        {
-            Description = "Prefix to add to the external base image names when pulling them"
-        };
-
         private static readonly Option<Dictionary<string, string>> BuildArgsOption =
             CliHelper.CreateDictionaryOption("--build-arg",
                 "Build argument to pass to the Dockerfiles (<name>=<value>)");
@@ -118,7 +112,6 @@ public override IEnumerable<Option> GetCliOptions() =>
             ImageInfoSourcePathOption,
             SourceRepoOption,
             NoCacheOption,
-            SourceRepoPrefixOption,
             BuildArgsOption,
             DockerBuildOption,
             SkipPlatformCheckOption,
@@ -146,7 +139,6 @@ public override void Bind(ParseResult result)
             ImageInfoSourcePath = result.GetValue(ImageInfoSourcePathOption);
             SourceRepoUrl = result.GetValue(SourceRepoOption);
             NoCache = result.GetValue(NoCacheOption);
-            SourceRepoPrefix = result.GetValue(SourceRepoPrefixOption);
             BuildArgs = result.GetValue(BuildArgsOption) ?? new Dictionary<string, string>();
             DockerBuildOptions = result.GetValue(DockerBuildOption) ?? [];
             SkipPlatformCheck = result.GetValue(SkipPlatformCheckOption);
diff --git a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
index cff3d5912..caf4d7f4a 100644
--- a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
+++ b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
@@ -8,9 +8,11 @@
 using System.Linq;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Models.Image;
 using Microsoft.DotNet.ImageBuilder.Models.Manifest;
 using Microsoft.DotNet.ImageBuilder.ViewModel;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.DotNet.ImageBuilder.Commands
 {
@@ -26,10 +28,12 @@ public class GenerateBuildMatrixCommand : ManifestCommand<GenerateBuildMatrixOpt
         private readonly ImageDigestCache _imageDigestCache;
         private readonly Lazy<ImageNameResolverForMatrix> _imageNameResolver;
 
-        public GenerateBuildMatrixCommand(IManifestJsonService manifestJsonService, IImageCacheService imageCacheService, IManifestServiceFactory manifestServiceFactory, ILogger<GenerateBuildMatrixCommand> logger) : base(manifestJsonService)
+        public GenerateBuildMatrixCommand(IManifestJsonService manifestJsonService, IImageCacheService imageCacheService, IManifestServiceFactory manifestServiceFactory, ILogger<GenerateBuildMatrixCommand> logger, IOptions<PublishConfiguration> publishConfigOptions) : base(manifestJsonService)
         {
             _imageCacheService = imageCacheService ?? throw new ArgumentNullException(nameof(imageCacheService));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+            ArgumentNullException.ThrowIfNull(publishConfigOptions);
+            PublishConfiguration publishConfig = publishConfigOptions.Value;
             _imageArtifactDetails = new Lazy<ImageArtifactDetails?>(() =>
             {
                 if (Options.ImageInfoPath != null)
@@ -43,7 +47,7 @@ public GenerateBuildMatrixCommand(IManifestJsonService manifestJsonService, IIma
                 new Lazy<IManifestService>(
                     () => manifestServiceFactory.Create(Options.CredentialsOptions)));
             _imageNameResolver = new Lazy<ImageNameResolverForMatrix>(() =>
-                new ImageNameResolverForMatrix(Manifest, Options.RepoPrefix, Options.SourceRepoPrefix));
+                new ImageNameResolverForMatrix(Manifest, Options.RepoPrefix, publishConfig.MirrorRegistry));
         }
 
         protected override string Description => "Generate the Azure DevOps build matrix for building the images";
diff --git a/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs b/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
index 88939d580..46974cc8e 100644
--- a/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
+++ b/src/ImageBuilder/Commands/GenerateBuildMatrixOptions.cs
@@ -19,7 +19,6 @@ public class GenerateBuildMatrixOptions : ManifestOptions, IFilterableOptions
         public int ProductVersionComponents { get; set; }
         public string? ImageInfoPath { get; set; }
         public IEnumerable<string> DistinctMatrixOsVersions { get; set; } = Enumerable.Empty<string>();
-        public string? SourceRepoPrefix { get; set; }
         public string? SourceRepoUrl { get; set; }
         public RegistryCredentialsOptions CredentialsOptions { get; set; } = new();
         public bool TrimCachedImages { get; set; }
@@ -57,11 +56,6 @@ public class GenerateBuildMatrixOptions : ManifestOptions, IFilterableOptions
             AllowMultipleArgumentsPerToken = false
         };
 
-        private static readonly Option<string?> SourceRepoPrefixOption = new("--source-repo-prefix")
-        {
-            Description = "Prefix to add to the external base image names when pulling them"
-        };
-
         private static readonly Option<string?> SourceRepoOption = new("--source-repo")
         {
             Description = "Repo URL of the Dockerfile sources"
@@ -82,7 +76,6 @@ public override IEnumerable<Option> GetCliOptions() =>
             ProductVersionComponentsOption,
             ImageInfoOption,
             DistinctMatrixOsVersionsOption,
-            SourceRepoPrefixOption,
             SourceRepoOption,
             TrimCachedImagesOption,
         ];
@@ -104,7 +97,6 @@ public override void Bind(ParseResult result)
             ProductVersionComponents = result.GetValue(ProductVersionComponentsOption);
             ImageInfoPath = result.GetValue(ImageInfoOption);
             DistinctMatrixOsVersions = result.GetValue(DistinctMatrixOsVersionsOption) ?? [];
-            SourceRepoPrefix = result.GetValue(SourceRepoPrefixOption);
             SourceRepoUrl = result.GetValue(SourceRepoOption);
             TrimCachedImages = result.GetValue(TrimCachedImagesOption);
         }
diff --git a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
index 8fb95cf2d..53783741a 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesCommand.cs
@@ -7,8 +7,10 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.Models.Image;
 using Microsoft.DotNet.ImageBuilder.ViewModel;
+using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
 using Octokit;
 
@@ -23,18 +25,22 @@ public class GetStaleImagesCommand : Command<GetStaleImagesOptions>
         private readonly ILogger<GetStaleImagesCommand> _logger;
         private readonly IOctokitClientFactory _octokitClientFactory;
         private readonly IGitService _gitService;
+        private readonly RegistryEndpoint? _sourceMirror;
 
         public GetStaleImagesCommand(
             IManifestServiceFactory manifestServiceFactory,
             IManifestJsonService manifestJsonService,
             ILogger<GetStaleImagesCommand> logger,
             IOctokitClientFactory octokitClientFactory,
-            IGitService gitService)
+            IGitService gitService,
+            IOptions<PublishConfiguration> publishConfigOptions)
         {
             _manifestJsonService = manifestJsonService ?? throw new ArgumentNullException(nameof(manifestJsonService));
             _logger = logger;
             _octokitClientFactory = octokitClientFactory;
             _gitService = gitService;
+            ArgumentNullException.ThrowIfNull(publishConfigOptions);
+            _sourceMirror = publishConfigOptions.Value.MirrorRegistry;
 
             // Don't worry about authenticating to our own ACR, since we are checking base image digests from public
             // registries instead of our staging location. Registry credentials are needed however to prevent rate
@@ -58,8 +64,7 @@ public override async Task ExecuteAsync()
                     Options.SubscriptionOptions.SubscriptionsPath,
                     Options.FilterOptions,
                     _gitService,
-                    _manifestJsonService,
-                    manifestOptions => manifestOptions.RegistryOverride = Options.RegistryOverride)
+                    _manifestJsonService)
                 .Select(async subscriptionManifest =>
                     new SubscriptionImagePaths
                     {
@@ -94,7 +99,7 @@ private async Task<IEnumerable<string>> GetPathsToRebuildAsync(Models.Subscripti
             ImageNameResolverForMatrix imageNameResolver = new(
                 manifest,
                 repoPrefix: null,
-                sourceRepoPrefix: Options.SourceRepoPrefix);
+                sourceMirror: _sourceMirror);
 
             List<string> pathsToRebuild = new();
 
diff --git a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
index 65c061c45..f0361f61f 100644
--- a/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
+++ b/src/ImageBuilder/Commands/GetStaleImagesOptions.cs
@@ -21,10 +21,6 @@ public class GetStaleImagesOptions : Options, IFilterableOptions, IGitOptionsHos
 
         public RegistryCredentialsOptions CredentialsOptions { get; set; } = new RegistryCredentialsOptions();
 
-        public string? RegistryOverride { get; set; }
-
-        public string? SourceRepoPrefix { get; set; }
-
         private static readonly GitOptionsBuilder GitBuilder = GitOptionsBuilder.BuildForRepositoryOperations();
 
         private static readonly Argument<string> VariableNameArgument = new(nameof(VariableName))
@@ -32,19 +28,6 @@ public class GetStaleImagesOptions : Options, IFilterableOptions, IGitOptionsHos
             Description = "The Azure Pipeline variable name to assign the image paths to"
         };
 
-        private static readonly Option<string?> RegistryOverrideOption = new($"--{ManifestOptions.RegistryOverrideName}")
-        {
-            Description = "Alternative registry that overrides the registry defined in each subscription's manifest. " +
-                "Used together with --source-repo-prefix to redirect external base image lookups to a mirror location."
-        };
-
-        private static readonly Option<string?> SourceRepoPrefixOption = new("--source-repo-prefix")
-        {
-            Description = "Repo prefix used to locate mirrored external base images in the overridden registry " +
-                "(e.g. 'mirror/'). Combined with --registry-override, external FROM tags are resolved against " +
-                "'<registry-override>/<source-repo-prefix><original-repo>:<tag>' instead of their public source."
-        };
-
         public override IEnumerable<Option> GetCliOptions() =>
         [
             ..base.GetCliOptions(),
@@ -52,8 +35,6 @@ public override IEnumerable<Option> GetCliOptions() =>
             ..FilterOptions.GetCliOptions(),
             ..GitBuilder.GetCliOptions(),
             ..CredentialsOptions.GetCliOptions(),
-            RegistryOverrideOption,
-            SourceRepoPrefixOption,
         ];
 
         public override IEnumerable<Argument> GetCliArguments() =>
@@ -79,8 +60,6 @@ public override void Bind(ParseResult result)
             FilterOptions.Bind(result);
             GitBuilder.Bind(result, GitOptions);
             CredentialsOptions.Bind(result);
-            RegistryOverride = result.GetValue(RegistryOverrideOption);
-            SourceRepoPrefix = result.GetValue(SourceRepoPrefixOption);
             VariableName = result.GetValue(VariableNameArgument) ?? string.Empty;
         }
     }
diff --git a/src/ImageBuilder/Configuration/PublishConfiguration.cs b/src/ImageBuilder/Configuration/PublishConfiguration.cs
index a9f26c825..c7d67ce58 100644
--- a/src/ImageBuilder/Configuration/PublishConfiguration.cs
+++ b/src/ImageBuilder/Configuration/PublishConfiguration.cs
@@ -23,15 +23,12 @@ public sealed record PublishConfiguration
     public RegistryEndpoint? PublishRegistry { get; set; }
 
     /// <summary>
-    /// External image dependencies are mirrored to this registry.
+    /// Registry that holds mirrored copies of external base images. The pipeline templates
+    /// select the correct mirror (internal staging vs. public mirror) at template-compile
+    /// time based on the AzDO team project, so the app sees a single registry to redirect
+    /// external base-image lookups to without any runtime conditionals.
     /// </summary>
-    public RegistryEndpoint? InternalMirrorRegistry { get; set; }
-
-    /// <summary>
-    /// External images are mirrored to this registry. This registry has anonymous pull access
-    /// enabled so that it can be used in public PR validation.
-    /// </summary>
-    public RegistryEndpoint? PublicMirrorRegistry { get; set; }
+    public RegistryEndpoint? MirrorRegistry { get; set; }
 
     /// <summary>
     /// Configuration for container image signing via ESRP.
@@ -64,8 +61,7 @@ public IEnumerable<RegistryEndpoint> GetKnownRegistries()
         [
             BuildRegistry,
             PublishRegistry,
-            InternalMirrorRegistry,
-            PublicMirrorRegistry
+            MirrorRegistry
         ];
 
         // Use OfType to filter out null values, since Where(x => x is not null)
diff --git a/src/ImageBuilder/Configuration/RegistryEndpoint.cs b/src/ImageBuilder/Configuration/RegistryEndpoint.cs
index 22a348f36..9c2a00f41 100644
--- a/src/ImageBuilder/Configuration/RegistryEndpoint.cs
+++ b/src/ImageBuilder/Configuration/RegistryEndpoint.cs
@@ -20,4 +20,11 @@ public sealed record RegistryEndpoint
     /// "mcr.microsoft.com", "ghcr.io", "localhost:5000".
     /// </summary>
     public string? Server { get; set; }
+
+    /// <summary>
+    /// Optional repo prefix used to scope images within the registry.
+    /// Examples: "mirror/", "dotnet-staging/12345/". Should include a trailing
+    /// slash when set so it can be concatenated directly with a repo name.
+    /// </summary>
+    public string? RepoPrefix { get; set; }
 }
diff --git a/src/ImageBuilder/ImageNameResolver.cs b/src/ImageBuilder/ImageNameResolver.cs
index b57d1f522..4846d266b 100644
--- a/src/ImageBuilder/ImageNameResolver.cs
+++ b/src/ImageBuilder/ImageNameResolver.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using Microsoft.DotNet.ImageBuilder.Configuration;
 using Microsoft.DotNet.ImageBuilder.ViewModel;
 
 namespace Microsoft.DotNet.ImageBuilder;
@@ -8,13 +9,13 @@ namespace Microsoft.DotNet.ImageBuilder;
 public abstract class ImageNameResolver
 {
     private readonly string? _repoPrefix;
-    private readonly string? _sourceRepoPrefix;
+    private readonly RegistryEndpoint? _sourceMirror;
 
-    public ImageNameResolver(ManifestInfo manifest, string? repoPrefix, string? sourceRepoPrefix)
+    public ImageNameResolver(ManifestInfo manifest, string? repoPrefix, RegistryEndpoint? sourceMirror)
     {
         Manifest = manifest;
         _repoPrefix = repoPrefix;
-        _sourceRepoPrefix = sourceRepoPrefix;
+        _sourceMirror = sourceMirror;
     }
 
     protected ManifestInfo Manifest { get; }
@@ -64,19 +65,22 @@ public string GetFromImagePublicTag(string fromImage)
     /// <param name="fromImage">Tag of the FROM image.</param>
     /// <param name="registry">Registry to use for comparing against the tag to determine if it's owned internally or external.</param>
     /// <remarks>
-    /// This is meant to provide support for external images that need to be pulled from the mirror location.
+    /// External FROM images are redirected to the configured source mirror so they can be pulled from
+    /// an internal/public mirror registry rather than their original source (e.g. docker.io). The source
+    /// mirror is independent of the manifest's destination registry, so this redirection affects pulls only
+    /// and does not alter the destination tag of built images.
     /// </remarks>
     private string GetFromImageTag(string fromImage, string? registry)
     {
         if ((registry is not null && DockerHelper.IsInRegistry(fromImage, registry)) ||
             DockerHelper.IsInRegistry(fromImage, Manifest.Model.Registry)
-            || _sourceRepoPrefix is null)
+            || _sourceMirror?.Server is null)
         {
             return fromImage;
         }
 
         string srcImage = TrimInternallyOwnedRegistryAndRepoPrefix(DockerHelper.NormalizeRepo(fromImage));
-        return $"{Manifest.Registry}/{_sourceRepoPrefix}{srcImage}";
+        return $"{_sourceMirror.Server}/{_sourceMirror.RepoPrefix}{srcImage}";
     }
 
     protected string TrimInternallyOwnedRegistryAndRepoPrefix(string imageTag) =>
@@ -94,8 +98,8 @@ public class ImageNameResolverForBuild : ImageNameResolver
     public ImageNameResolverForBuild(
         ManifestInfo manifest,
         string? repoPrefix,
-        string? sourceRepoPrefix)
-        : base(manifest, repoPrefix, sourceRepoPrefix)
+        RegistryEndpoint? sourceMirror)
+        : base(manifest, repoPrefix, sourceMirror)
     {
     }
 
@@ -124,8 +128,8 @@ public class ImageNameResolverForMatrix : ImageNameResolver
     public ImageNameResolverForMatrix(
         ManifestInfo manifest,
         string? repoPrefix,
-        string? sourceRepoPrefix)
-        : base(manifest, repoPrefix, sourceRepoPrefix)
+        RegistryEndpoint? sourceMirror)
+        : base(manifest, repoPrefix, sourceMirror)
     {
     }
 

From e592079b68f15e1b365a80bd9d730f3811980013 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 19:04:42 -0700
Subject: [PATCH 08/10] Reformat some stuff

---
 eng/docker-tools/CHANGELOG.md                 | 23 +++++++++++++++----
 src/ImageBuilder/Commands/BuildCommand.cs     |  3 +--
 .../Commands/GenerateBuildMatrixCommand.cs    |  8 ++++++-
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index dc805b62c..74ea2f9c9 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,22 +4,35 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
-## 2026-05-22: Remove `--base-override-regex` / `--base-override-sub`
+## 2026-05-22: Remove `--base-override-regex` / `--base-override-sub` options
 
-ImageBuilder's `--base-override-regex` and `--base-override-sub` options have been removed from the `build`, `buildMatrix`, `copyBaseImages`, and `getStaleImages` commands. The same redirection to a mirror registry is expressed by the existing `--registry-override` + `--source-repo-prefix` pair, which is type-checked rather than an opaque regex/replacement and handles the digest-comparison path correctly.
+ImageBuilder's `--base-override-regex` and `--base-override-sub` options have
+been removed from the `build`, `buildMatrix`, `copyBaseImages`, and
+`getStaleImages` commands. The same redirection to a mirror registry is
+expressed by the existing `--registry-override` + `--source-repo-prefix` pair,
+which is type-checked rather than an opaque regex/replacement and handles the
+digest-comparison path correctly.
 
-`init-common.yml` has been updated to use the new options for the public-build mirror redirect.
+`init-common.yml` has been updated to use the new options for the public-build
+mirror redirect.
 
 **Migration for downstream repos:**
 
-If you invoke ImageBuilder directly with `--base-override-regex/--base-override-sub`, replace them with `--registry-override <server>` and `--source-repo-prefix <prefix>`. Example:
+If you invoke ImageBuilder directly with `--base-override-regex` or
+`--base-override-sub`, replace them with `--registry-override <server>` and
+`--source-repo-prefix <prefix>`. Example:
 
 ```diff
 - --base-override-regex '^(?!mcr\.microsoft\.com)' --base-override-sub '$(public-mirror.server)/'
 + --source-repo-prefix '' --registry-override '$(public-mirror.server)'
 ```
 
-The `dotnet-buildtools-prereqs-docker` repo has a custom `eng/pipelines/steps/set-base-image-override-options.yml` that uses these options. Its current configuration matches no current Dockerfile FROM line (Dockerfiles use `library/<distro>:<tag>` rather than `<distro>:<tag>`), so removing the file and its two call sites in `eng/pipelines/stages/dotnet-buildtools-prereqs.yml` is a no-op behaviorally.
+The `dotnet-buildtools-prereqs-docker` repo has a custom
+`eng/pipelines/steps/set-base-image-override-options.yml` that uses these
+options. Its current configuration matches no current Dockerfile FROM line
+(Dockerfiles use `library/<distro>:<tag>` rather than `<distro>:<tag>`), so
+removing the file and its two call sites in
+`eng/pipelines/stages/dotnet-buildtools-prereqs.yml` is a no-op behaviorally.
 
 ---
 
diff --git a/src/ImageBuilder/Commands/BuildCommand.cs b/src/ImageBuilder/Commands/BuildCommand.cs
index 666c5da9a..34cb330ef 100644
--- a/src/ImageBuilder/Commands/BuildCommand.cs
+++ b/src/ImageBuilder/Commands/BuildCommand.cs
@@ -63,8 +63,7 @@ public BuildCommand(
             _registryCredentialsProvider = registryCredentialsProvider ?? throw new ArgumentNullException(nameof(registryCredentialsProvider));
             _tokenCredentialProvider = tokenCredentialProvider ?? throw new ArgumentNullException(nameof(tokenCredentialProvider));
             _imageCacheService = imageCacheService ?? throw new ArgumentNullException(nameof(imageCacheService));
-            ArgumentNullException.ThrowIfNull(publishConfigOptions);
-            PublishConfiguration publishConfig = publishConfigOptions.Value;
+            PublishConfiguration publishConfig = publishConfigOptions?.Value ?? throw new ArgumentNullException(nameof(publishConfigOptions));
 
             // Lazily create services which need access to options
             ArgumentNullException.ThrowIfNull(manifestServiceFactory);
diff --git a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
index caf4d7f4a..68188321d 100644
--- a/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
+++ b/src/ImageBuilder/Commands/GenerateBuildMatrixCommand.cs
@@ -28,7 +28,13 @@ public class GenerateBuildMatrixCommand : ManifestCommand<GenerateBuildMatrixOpt
         private readonly ImageDigestCache _imageDigestCache;
         private readonly Lazy<ImageNameResolverForMatrix> _imageNameResolver;
 
-        public GenerateBuildMatrixCommand(IManifestJsonService manifestJsonService, IImageCacheService imageCacheService, IManifestServiceFactory manifestServiceFactory, ILogger<GenerateBuildMatrixCommand> logger, IOptions<PublishConfiguration> publishConfigOptions) : base(manifestJsonService)
+        public GenerateBuildMatrixCommand(
+            IManifestJsonService manifestJsonService,
+            IImageCacheService imageCacheService,
+            IManifestServiceFactory manifestServiceFactory,
+            ILogger<GenerateBuildMatrixCommand> logger,
+            IOptions<PublishConfiguration> publishConfigOptions
+        ) : base(manifestJsonService)
         {
             _imageCacheService = imageCacheService ?? throw new ArgumentNullException(nameof(imageCacheService));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));

From baa1f16bc5180a4ebbc7ac7a2b2a4ccf9e784385 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 19:17:33 -0700
Subject: [PATCH 09/10]  Update changelog

---
 eng/docker-tools/CHANGELOG.md | 76 +++++++++++++++++++++++++++--------
 1 file changed, 60 insertions(+), 16 deletions(-)

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index 74ea2f9c9..4b7ae44aa 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,29 +4,73 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
-## 2026-05-22: Remove `--base-override-regex` / `--base-override-sub` options
+## 2026-05-22 Breaking changes
 
-ImageBuilder's `--base-override-regex` and `--base-override-sub` options have
-been removed from the `build`, `buildMatrix`, `copyBaseImages`, and
-`getStaleImages` commands. The same redirection to a mirror registry is
-expressed by the existing `--registry-override` + `--source-repo-prefix` pair,
-which is type-checked rather than an opaque regex/replacement and handles the
-digest-comparison path correctly.
+### PublishConfiguration: `InternalMirrorRegistry` and `PublicMirrorRegistry` replaced with `MirrorRegistry`
 
-`init-common.yml` has been updated to use the new options for the public-build
-mirror redirect.
+`PublishConfiguration` no longer exposes separate `InternalMirrorRegistry` and
+`PublicMirrorRegistry` fields to the C# app. Instead, the publish-config YAML
+templates emit a single `MirrorRegistry` field, chosen at template-compile
+time based on `${{ variables['System.TeamProject'] }}`. ImageBuilder reads
+this single field for all source-mirror lookups (`build`, `buildMatrix`,
+`getStaleImages`) so it never has to switch on environment at runtime.
 
-**Migration for downstream repos:**
+The `--source-repo-prefix` CLI option has been removed accordingly — the
+mirror prefix is now sourced from `PublishConfiguration.MirrorRegistry.RepoPrefix`.
+`--registry-override` retains its original meaning (destination registry for
+built images) and is no longer used for source-mirror redirection.
 
-If you invoke ImageBuilder directly with `--base-override-regex` or
-`--base-override-sub`, replace them with `--registry-override <server>` and
-`--source-repo-prefix <prefix>`. Example:
+#### How to migrate:
+
+Replace `InternalMirrorRegistry` and `PublicMirrorRegistry` with a pipeline
+template conditional:
+
+Before:
+
+```yaml
+publishConfig:
+  ...
+  InternalMirrorRegistry:        # keep — still used by other YAML steps
+    server: $(acr-staging.server)
+    repoPrefix: $(internalMirrorRepoPrefix)
+  PublicMirrorRegistry:          # keep — still used by other YAML steps
+    server: $(public-mirror.server)
+    repoPrefix: $(publicMirrorRepoPrefix)
+  ...
+```
+
+After:
 
-```diff
-- --base-override-regex '^(?!mcr\.microsoft\.com)' --base-override-sub '$(public-mirror.server)/'
-+ --source-repo-prefix '' --registry-override '$(public-mirror.server)'
+```yaml
+publishConfig:
+  ...
+  ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+    MirrorRegistry:
+      server: $(acr-staging.server)
+      repoPrefix: $(internalMirrorRepoPrefix)
+  ${{ else }}:
+    MirrorRegistry:
+      server: $(public-mirror.server)
+      repoPrefix: $(publicMirrorRepoPrefix)
+  ...
 ```
 
+Drop any explicit `--source-repo-prefix` arguments from your ImageBuilder
+invocations.
+
+### Base image override options removed from CLI
+
+The `--base-override-regex` and `--base-override-sub` options have also been
+removed from the `build`, `buildMatrix`, `copyBaseImages`, and `getStaleImages`
+commands. They are superseded by the properties set in the
+`PublishConfiguration`.
+
+#### How to migrate:
+
+If you invoke ImageBuilder directly with `--base-override-regex` or
+`--base-override-sub`, remove those flags and populate
+`PublishConfiguration.MirrorRegistry` instead (see entry above).
+
 The `dotnet-buildtools-prereqs-docker` repo has a custom
 `eng/pipelines/steps/set-base-image-override-options.yml` that uses these
 options. Its current configuration matches no current Dockerfile FROM line

From 71ae837f963306f29f07b13a6c99e53dd4583ae7 Mon Sep 17 00:00:00 2001
From: Logan Bussell <loganbussell@microsoft.com>
Date: Fri, 22 May 2026 19:51:42 -0700
Subject: [PATCH 10/10] Remove all usage of (Public|Internal)MirrorRegistry

---
 eng/docker-tools/CHANGELOG.md                 | 35 ++++++-------------
 .../templates/jobs/build-images.yml           |  2 +-
 .../jobs/copy-base-images-staging.yml         |  2 +-
 .../stages/dotnet/publish-config-nonprod.yml  | 11 ------
 .../stages/dotnet/publish-config-prod.yml     | 11 ------
 .../jobs/check-base-image-updates.yml         |  4 +--
 .../jobs/copy-base-images-public-mirror.yml   |  4 ++-
 .../templates/stages/cleanup-acr-images.yml   |  6 ++--
 8 files changed, 22 insertions(+), 53 deletions(-)

diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md
index 4b7ae44aa..b2cc7d19f 100644
--- a/eng/docker-tools/CHANGELOG.md
+++ b/eng/docker-tools/CHANGELOG.md
@@ -4,21 +4,15 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
-## 2026-05-22 Breaking changes
+## 2026-05-22: Mirror registry config refactor
 
 ### PublishConfiguration: `InternalMirrorRegistry` and `PublicMirrorRegistry` replaced with `MirrorRegistry`
 
 `PublishConfiguration` no longer exposes separate `InternalMirrorRegistry` and
-`PublicMirrorRegistry` fields to the C# app. Instead, the publish-config YAML
-templates emit a single `MirrorRegistry` field, chosen at template-compile
-time based on `${{ variables['System.TeamProject'] }}`. ImageBuilder reads
-this single field for all source-mirror lookups (`build`, `buildMatrix`,
-`getStaleImages`) so it never has to switch on environment at runtime.
+`PublicMirrorRegistry` properties. Instead, there is a single `MirrorRegistry`
+property.
 
-The `--source-repo-prefix` CLI option has been removed accordingly — the
-mirror prefix is now sourced from `PublishConfiguration.MirrorRegistry.RepoPrefix`.
-`--registry-override` retains its original meaning (destination registry for
-built images) and is no longer used for source-mirror redirection.
+The `--source-repo-prefix` CLI option has also been removed in favor of `PublishConfiguration.MirrorRegistry.RepoPrefix`.
 
 #### How to migrate:
 
@@ -30,10 +24,10 @@ Before:
 ```yaml
 publishConfig:
   ...
-  InternalMirrorRegistry:        # keep — still used by other YAML steps
+  InternalMirrorRegistry:
     server: $(acr-staging.server)
     repoPrefix: $(internalMirrorRepoPrefix)
-  PublicMirrorRegistry:          # keep — still used by other YAML steps
+  PublicMirrorRegistry:
     server: $(public-mirror.server)
     repoPrefix: $(publicMirrorRepoPrefix)
   ...
@@ -55,9 +49,6 @@ publishConfig:
   ...
 ```
 
-Drop any explicit `--source-repo-prefix` arguments from your ImageBuilder
-invocations.
-
 ### Base image override options removed from CLI
 
 The `--base-override-regex` and `--base-override-sub` options have also been
@@ -67,16 +58,12 @@ commands. They are superseded by the properties set in the
 
 #### How to migrate:
 
-If you invoke ImageBuilder directly with `--base-override-regex` or
-`--base-override-sub`, remove those flags and populate
-`PublishConfiguration.MirrorRegistry` instead (see entry above).
+Use `PublishConfiguration.MirrorRegistry` instead.
 
-The `dotnet-buildtools-prereqs-docker` repo has a custom
-`eng/pipelines/steps/set-base-image-override-options.yml` that uses these
-options. Its current configuration matches no current Dockerfile FROM line
-(Dockerfiles use `library/<distro>:<tag>` rather than `<distro>:<tag>`), so
-removing the file and its two call sites in
-`eng/pipelines/stages/dotnet-buildtools-prereqs.yml` is a no-op behaviorally.
+An evaluation of downstream usage of these parameters found only one usage, in
+[dotnet-buildtools-prereqs-docker](https://github.com/dotnet/dotnet-buildtools-prereqs-docker/blob/f2842d71c33c10fc5a736988e66911c13d59fb32/eng/pipelines/steps/set-base-image-override-options.yml),
+and the usage does not match any current Dockerfiles in that repo, so its
+removal will not cause any changes in behavior.
 
 ---
 
diff --git a/eng/docker-tools/templates/jobs/build-images.yml b/eng/docker-tools/templates/jobs/build-images.yml
index 7327b6d69..8a35a66ec 100644
--- a/eng/docker-tools/templates/jobs/build-images.yml
+++ b/eng/docker-tools/templates/jobs/build-images.yml
@@ -115,7 +115,7 @@ jobs:
     - powershell: |
         $images = "$(BuildImages.builtImages)"
         if (-not $images) { return 0 }
-        $syftImageName = "${{ parameters.publishConfig.PublicMirrorRegistry.server }}/$(imageNames.syft)"
+        $syftImageName = "$(public-mirror.server)/$(imageNames.syft)"
         & $(engDockerToolsPath)/Pull-Image.ps1 $syftImageName
         $images -Split ',' | ForEach-Object {
           echo "Generating SBOM for $_";
diff --git a/eng/docker-tools/templates/jobs/copy-base-images-staging.yml b/eng/docker-tools/templates/jobs/copy-base-images-staging.yml
index 02c6cc84e..6f957ea56 100644
--- a/eng/docker-tools/templates/jobs/copy-base-images-staging.yml
+++ b/eng/docker-tools/templates/jobs/copy-base-images-staging.yml
@@ -36,5 +36,5 @@ jobs:
     customInitSteps: ${{ parameters.customInitSteps }}
     customCopyBaseImagesInitSteps: ${{ parameters.customCopyBaseImagesInitSteps }}
     additionalOptions: ${{ parameters.additionalOptions }}
-    acr: ${{ parameters.publishConfig.InternalMirrorRegistry }}
+    acr: ${{ parameters.publishConfig.MirrorRegistry }}
     versionsRepoRef: ${{ parameters.versionsRepoRef }}
diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
index 8eb9d65a0..3d45fc63a 100644
--- a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
+++ b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml
@@ -55,17 +55,6 @@ stages:
     # publishConfig schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
     # This will get converted to JSON and placed in appsettings.json to be loaded by ImageBuilder at runtime.
     publishConfig:
-      InternalMirrorRegistry:
-        server: $(acr-staging-test.server)
-        repoPrefix: $(internalMirrorRepoPrefix)
-
-      PublicMirrorRegistry:
-        server: $(public-mirror.server)
-        repoPrefix: $(publicMirrorRepoPrefix)
-
-      # Source mirror selected at template-compile time based on the AzDO team
-      # project so the C# app sees a single registry to redirect external
-      # base-image lookups to without any runtime conditionals.
       ${{ if eq(variables['System.TeamProject'], 'internal') }}:
         MirrorRegistry:
           server: $(acr-staging-test.server)
diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
index 51bc320b9..a57fd9923 100644
--- a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
+++ b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml
@@ -55,17 +55,6 @@ stages:
     # publishConfig schema is defined in src/ImageBuilder/Configuration/PublishConfiguration.cs.
     # This will get converted to JSON and placed in appsettings.json to be loaded by ImageBuilder at runtime.
     publishConfig:
-      InternalMirrorRegistry:
-        server: $(acr-staging.server)
-        repoPrefix: $(internalMirrorRepoPrefix)
-
-      PublicMirrorRegistry:
-        server: $(public-mirror.server)
-        repoPrefix: $(publicMirrorRepoPrefix)
-
-      # Source mirror selected at template-compile time based on the AzDO team
-      # project so the C# app sees a single registry to redirect external
-      # base-image lookups to without any runtime conditionals.
       ${{ if eq(variables['System.TeamProject'], 'internal') }}:
         MirrorRegistry:
           server: $(acr-staging.server)
diff --git a/eng/pipelines/templates/jobs/check-base-image-updates.yml b/eng/pipelines/templates/jobs/check-base-image-updates.yml
index e027c6230..d4ac0f239 100644
--- a/eng/pipelines/templates/jobs/check-base-image-updates.yml
+++ b/eng/pipelines/templates/jobs/check-base-image-updates.yml
@@ -47,11 +47,11 @@ jobs:
     parameters:
       publishConfig: ${{ parameters.publishConfig }}
       usesRegistries:
-        - ${{ parameters.publishConfig.InternalMirrorRegistry.server }}
+        - ${{ parameters.publishConfig.MirrorRegistry.server }}
 
   - template: /eng/docker-tools/templates/steps/copy-base-images.yml@self
     parameters:
-      acr: ${{ parameters.publishConfig.InternalMirrorRegistry }}
+      acr: ${{ parameters.publishConfig.MirrorRegistry }}
       additionalOptions: "--subscriptions-path '${{ parameters.subscriptionsPath }}'"
 
   - script: >
diff --git a/eng/pipelines/templates/jobs/copy-base-images-public-mirror.yml b/eng/pipelines/templates/jobs/copy-base-images-public-mirror.yml
index 7db34130b..27dd8c942 100644
--- a/eng/pipelines/templates/jobs/copy-base-images-public-mirror.yml
+++ b/eng/pipelines/templates/jobs/copy-base-images-public-mirror.yml
@@ -22,7 +22,9 @@ jobs:
       image: $(default1ESInternalPoolImage)
       os: linux
     publishConfig: ${{ parameters.publishConfig }}
-    acr: ${{ parameters.publishConfig.PublicMirrorRegistry }}
+    acr:
+      server: $(public-mirror.server)
+      repoPrefix: $(publicMirrorRepoPrefix)
     customInitSteps: ${{ parameters.customInitSteps }}
     additionalOptions: '--subscriptions-path ${{ parameters.subscriptionsPath }}'
     forceDryRun: ${{ parameters.dryRun }}
diff --git a/eng/pipelines/templates/stages/cleanup-acr-images.yml b/eng/pipelines/templates/stages/cleanup-acr-images.yml
index 1563f6833..fa3582da5 100644
--- a/eng/pipelines/templates/stages/cleanup-acr-images.yml
+++ b/eng/pipelines/templates/stages/cleanup-acr-images.yml
@@ -86,7 +86,7 @@ stages:
         publishConfig: ${{ parameters.publishConfig }}
         usesRegistries:
         - ${{ parameters.publishConfig.BuildRegistry.server }}
-        - ${{ parameters.publishConfig.PublicMirrorRegistry.server }}
+        - $(public-mirror.server)
         serviceConnections:
         - name: $(marStatus.serviceConnectionName)
     - script: mkdir -p $(Build.ArtifactStagingDirectory)/eol-annotation-data
@@ -96,7 +96,9 @@ stages:
         acr: ${{ parameters.publishConfig.BuildRegistry }}
     - template: /eng/pipelines/templates/steps/set-eol-annotations.yml@self
       parameters:
-        acr: ${{ parameters.publishConfig.PublicMirrorRegistry }}
+        acr:
+          server: $(public-mirror.server)
+          repoPrefix: $(publicMirrorRepoPrefix)
     - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self
       parameters:
         path: $(Build.ArtifactStagingDirectory)/eol-annotation-data