Move wdkmetadata to a more secure nuget feed

[getrou]

Rather than pulling directly from nuget.org, the build will now pull from a managed public nuget feed. The new nuget feed still upstreams to nuget.org and caches any package pulled from nuget.org. The major difference in operation is that the first time that a new package or version is pulled from an upstream source, it requires authentication by a Microsoft employee.

[riverar]

How do externals like me work on this without authentication?

[getrou]

How do externals like me work on this without authentication?

The feed is public, so you can still pull from the feed!

If you need to bring in new packages, then until a Microsoft employee populates the secure feed, you are still free to access nuget.org from your local build in one of the following ways:

• You can for locally change the nuget.config to point back to nuget.org. I'm looking at ways to make this a bit easier. For starters, I was thinking about modifying DoAll.ps1 to just do this by default for local development, since our secure Azure build pipeline doesn't use this script.
• You can call dotnet/nuget restore from the command line and pass in nuget.org as a source.

Your machine will cache the packages, so this is something you'd only have to do once when you're first changing the packages. I know this is an extra step, so I'm looking into ways to make it painless, but this new feed is a security feature that we are required to add.