Custom source url, preserving default NuGet package source

[Bert-Proesmans]

I'm testing this pass to deploy my packages to the Github Package repo.

So far I've been able to push packages successfully when the dependency source is limited to either NuGet or Github. I'm stuck on building when there are dependencies from both package sources.

Assuming my personal access tokens are not intended to be distributed inside the repository for manually constructing a nuget.config file. My use case does not seem to be supported.

Any suggestions on the correct approach for building c# projects that use dependencies from multiple sources? Is this maybe considered bad practice?

[mtttcgcg]

Wondering the same thing here.

It seems this Action only allows a specifying a single repo in the source-url parameter. In order to consume a package in GPR (to have it as a dependency), you have to set source-url to GPR, but then it can't find the base .NET packages there. If you try to fix that by using nuget.config, putting both nuget.org and GPR in there, and hardcoding a PAT in there, the build will work, but then when it tries to upload the built library to GPR, it prints out:

warn : No API Key was provided and no API Key could be found for 'https://nuget.pkg.github.com/your-org' and then gets 400 on the upload request.

[riezebosch]

Probably related:

In my first project I want to publish a package to the GPR and consume from NuGet. This only works when I specify a different owner in the source url.

In my second project I want to consume the package from the other project so I have to use the correct owner. But then it fails to publish a package from this project stating No API Key was provided and no API Key could be found.

It seems it has something to do with requiring the /index.json for restore but pushing to the url without this.

[ZEisinger]

@Bert-Proesmans @mtttcgcg @riezebosch I am trying to better understand this issue, and would need to verify the below solution. Do you have a public example of this that you can share?

There is some documentation that is missing here, but the expectation is that a config file is provided with all package sources specified in the root of the repo (if there is more than one). When this task is called it will create a partial nuget.config above the repo root and add the authentication only into that file.

./nuget.config

<configuration>
  <packageSources>
    <add key="GPR" value="https://nuget.pkg.github.com/OwnerName/index.json" protocolVersion="3" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>
</configuration>

yaml

- uses: actions/setup-dotnet@v1
  with:
    source-url: https://nuget.pkg.github.com/OwnerName/index.json
  env:
    NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}  # Note, create a secret with this name in Settings

Partial nuget.config created at ../

<?xml version=\\"1.0\\"?>
<configuration>
  <config>
    <add key=\\"defaultPushSource\\" value=\\"https://nuget.pkg.github.com/OwnerName/index.json\\"/>
  </config>
  <packageSourceCredentials>
    <GPR>
      <add key=\\"Username\\" value=\\"OwnerName\\"/>
      <add key=\\"ClearTextPassword\\" value=\\"TEST_FAKE_AUTH_TOKEN\\"/>
    </GPR>
  </packageSourceCredentials>
</configuration>"

[boast]

@ZEisinger I tried exactly that some days ago and found out about the partial or "on-the-fly" nuget config. The problem is, that only the source with the matching source-url as value gets copied to the final config-list (https://github.com/actions/setup-dotnet/blob/master/src/authutil.ts#L80). However my private repo does obviously not contain all other nugets. We need two things in the code:

1. Which repo(s?) need extra packageSourceCredentials. This is done correctly by tracking the "sourceKeys" array.
2. All defined repos should be included in the final "on-the-fly" config, not just the authenticated. This is not done correctly and this process re-uses the "sourceKeys" array, which does not contain all repos.

At the current state, I cannot use this action at all, as I cannot build my packages except when they are basically bare-bone packages or with only internal dependencies.

[chris27uk]

We hit a very similar issue. We found that the nuget.org source wasn't present in the generated nuget.config file even if the file in the repo had it defined. We have worked around it by writing the config file ourselves and replacing setup-dotnet with self bootstrapping.

I do think its worth saying that for some projects it will make sense to use nuget.org and some to use private feeds to replace nuget.org (based on limiting costs). This will vary project to project, but I'd be surprised if most weren't relying on nuget.org standard feed.

e.g.

        $nugetConfig = "<?xml version=`"1.0`" encoding=`"utf-8`"?>
         <configuration>
               <packageSources>
                    <clear />
                    <add key=`"github`" value=`"https://nuget.pkg.github.com/owner/index.json`" />
                    <add key=`"nuget`" value=`"https://api.nuget.org/v3/index.json`" />
                </packageSources>
                <packageSourceCredentials>
                    <github>
                        <add key=`"Username`" value=`"owner`" />
                        <add key=`"ClearTextPassword`" value=`"${{ secrets.GITHUB_TOKEN }}`" />
                    </github>
                </packageSourceCredentials>
         </configuration>"
         Out-File -FilePath "../../nuget.config" -InputObject $nugetConfig

[nickjmcclure]

I'm having a similar issue, however in my case I need two additional nuget sources, in addition to the standard public nuget repository.

I have some legacy packages that are published to Azure DevOps, and Packages that are in our private GitHub package repo.

In my GitHub actions that build .net Framework projects, I'm able to call the nuget cli to add the sources without issue, I attempted the same thing with the dotnet cli, but it seems that isn't an option either.

[vslynko]

My workaround that works only when you have single other package source requiring authentication. Basically one need to add the default nuget source manually after setting up dotnet with custom nuget source.

- uses: actions/setup-dotnet@v1
    with:
      source-url: https://pkgs.dev.azure.com/<path_to_package_feed>/index.json
    env:
      NUGET_AUTH_TOKEN: ${{secrets.READ_DEVOPS_PACKAGES}}
- name: Restore Nugets
    working-directory: src
    run: |
      dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org --configfile d:\a\<root_name>\nuget.config
      dotnet restore . --configfile d:\a\<root_name>\nuget.config

The root_name can be found in setup-dotnet step output. This is where temporary nuget.config is stored.

dotnet-auth: Finding any source references in D:\a\<root_name>\<root_name>\nuget.config, writing a new temporary configuration file with credentials to D:\a\<root_name>\nuget.config

This step output reveals the root cause of the problem. Namely, finding any source references fails, because my nuget.config is located under .\src\ folder, not in repo root. So, the existing sources are not found at all.

Cheers.

[vslynko]

BTW the location of has changed within past week, causing all my builds to break.

[vslynko]

And just now the is changed again.

[vslynko]

This is unbearable, guys. The step behaves differently for the same config. Below a logs for two different runs with time difference less than 24 hours. Notice that temporary nuget.config is created in different locations. Without any obvious reason.

2020-09-24T15:20:00.5309302Z ##[group]Run actions/setup-dotnet@v1
2020-09-24T15:20:00.5309763Z with:
2020-09-24T15:20:00.5310526Z   source-url: https://pkgs.dev.azure.com/<feed>/nuget/v3/index.json
2020-09-24T15:20:00.5311269Z env:
2020-09-24T15:20:00.5311729Z   NUGET: C:\hostedtoolcache\windows\nuget.exe\5.7.0\x64/nuget.exe
2020-09-24T15:20:00.5313395Z   NUGET_AUTH_TOKEN: ***
2020-09-24T15:20:00.5313744Z ##[endgroup]
2020-09-24T15:20:01.0038666Z dotnet-auth: Finding any source references in D:\a\_temp\nuget.config, writing a new temporary configuration file with credentials to D:\a\nuget.config

2020-09-25T08:08:50.8087369Z ##[group]Run actions/setup-dotnet@v1
2020-09-25T08:08:50.8087812Z with:
2020-09-25T08:08:50.8088563Z   source-url: https://pkgs.dev.azure.com/<feed>/nuget/v3/index.json
2020-09-25T08:08:50.8089317Z env:
2020-09-25T08:08:50.8089766Z   NUGET: C:\hostedtoolcache\windows\nuget.exe\5.7.0\x64/nuget.exe
2020-09-25T08:08:50.8091805Z   NUGET_AUTH_TOKEN: ***
2020-09-25T08:08:50.8092159Z ##[endgroup]
2020-09-25T08:08:51.3520835Z dotnet-auth: Finding any source references in D:\a\<repo_name>\<repo_name>\nuget.config, writing a new temporary configuration file with credentials to D:\a\<repo_name>\nuget.config

Environment seems to be the same:

2020-09-25T08:05:44.7294095Z ##[section]Starting: Request a runner to run this job
2020-09-25T08:05:45.5710043Z Can't find any online and idle self-hosted runner in current repository that matches the required labels: 'windows-latest'
2020-09-25T08:05:45.5710203Z Can't find any online and idle self-hosted runner in current repository's account/organization that matches the required labels: 'windows-latest'
2020-09-25T08:05:45.5710608Z Found online and idle hosted runner in current repository's account/organization that matches the required labels: 'windows-latest'
2020-09-25T08:05:45.7128542Z ##[section]Finishing: Request a runner to run this job
2020-09-25T08:05:52.6543295Z Current runner version: '2.273.4'
2020-09-25T08:05:52.6880661Z ##[group]Operating System
2020-09-25T08:05:52.6881436Z Microsoft Windows Server 2019
2020-09-25T08:05:52.6881800Z 10.0.17763
2020-09-25T08:05:52.6882107Z Datacenter
2020-09-25T08:05:52.6882441Z ##[endgroup]
2020-09-25T08:05:52.6882780Z ##[group]Virtual Environment
2020-09-25T08:05:52.6883328Z Environment: windows-2019
2020-09-25T08:05:52.6883720Z Version: 20200920.1
2020-09-25T08:05:52.6884840Z Included Software: https://github.com/actions/virtual-environments/blob/win19/20200920.1/images/win/Windows2019-Readme.md
2020-09-25T08:05:52.6885646Z ##[endgroup]

[ZEisinger]

Hey @vslynko, The task was upgraded yesterday. With the nuget.config being created one level above the root of the repository, this was where it was supposed to be created previously but there was a bug in the code. It should be in its final place now.

The release yesterday may have solved some of the NuGet problems reported here.

[atrauzzi]

What about multiple package sources?

[vsafonkin]

Hi @atrauzzi , could you please create feature request to add support multiple nuget package sources? Looks like this feature quite popular and is not currently supported by the task.

[vsafonkin]

@atrauzzi, thank you!