Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use $.job.credentials-metadata if $.credentials isn't given #11704

Merged
merged 1 commit into from
Feb 28, 2025
Merged

use $.job.credentials-metadata if $.credentials isn't given #11704

merged 1 commit into from
Feb 28, 2025

Conversation

brettfo
Copy link
Contributor

@brettfo brettfo commented Feb 28, 2025

This PR is for a very specific scenario, namely:

  1. A repo with NuGet packages
  2. That depends on a custom password- or token-authenticated feed
  3. And no NuGet.Config file exists in the repo

The NuGet updater relies heavily on native NuGet tooling and the native NuGet tooling looks in parent directories for a NuGet.Config file and also in the user-level location of ~/.nuget/NuGet/NuGet.Config.

In this case a custom package feed needs to be added to the user-level NuGet.Config file so that all of the tooling knows it's available. The proxy service is then responsible for all authentication.

Details

Update jobs are split into two phases, fetch_files and update_files. Each job phase is given different information regarding feed credentials as specified in the job file.

The fetch_files step passed along the root property credentials which may contain secrets (but probably not given the last few months of updates and the push towards using the CLI) and the update_files step passed along job.credentials-metadata which is identical to the other property, but with all secrets removed.

The NuGet updater needs feed information for the fetch_files step, but running with a job file like this:

job:
  # some values here
credentials:
  - type: nuget_feed
    # some other values

resulted in fetch_files getting an empty array because no secrets are passed to this step of the updater; the proxy is expected to handle it.

The fix is to allow the file fetcher command to fall back to the secret-less credentials-metadata so that the feed URLs can be passed on. The end result is that the native NuGet tooling will see package feeds listed in the user-level NuGet.Config and honor those for all update operations.

The generation of the user-level NuGet.Config was also updated to always include a reference to api.nuget.org. This was done because in the scenario covered here, the lack of a NuGet.Config file in a repo, or the lack of a <clear /> directive indicates that the owners of that repo are expecting higher-level implicit feeds to be used and the only common higher-level implicit feed is api.nuget.org. This won't break other scenarios where repo owners explicitly don't want api.nuget.org because they will have already specified the <clear /> directive which will exclude everything in the user-level file anyway.

Fixes #11690

@brettfo brettfo requested review from a team as code owners February 28, 2025 22:05
@github-actions github-actions bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label Feb 28, 2025
@brettfo brettfo mentioned this pull request Feb 28, 2025
Closed
1 task
randhircs
randhircs approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@randhircs randhircs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve it.

@randhircs randhircs merged commit b9ea83b into main Feb 28, 2025
133 of 136 checks passed
@randhircs randhircs deleted the dev/brettfo/job-credentials branch February 28, 2025 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamieMagee JamieMagee JamieMagee approved these changes

@randhircs randhircs randhircs approved these changes

Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependabot Error "error-type": "dependency_not_found" - .NET8, using private nuget repository.
3 participants
@brettfo @JamieMagee @randhircs