Github Actions cannot find NuGet package hosted in GitHub Packages - nuget

I have a GitHub organisation set up and within that are two private repositories: Library and App. I have managed to configure a GitHub Action for the Library repository to create a NuGet package and push it to nuget.pkg.github.com. I added the Library package as a dependency to the App project and can fetch these locally using a configured Personal Access Token. I am now working on the GitHub Action to build and run unit tests on the App project.
I have added a step to the workflow to add the NuGet package source
- name: Set package source
run: dotnet nuget add source --username USERNAME --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/REDACTED/index.json"
This is exactly the same line as is used when pushing the package, but when I reach the dotnet restore step later I get the following error:
/home/runner/work/App/App/App.Services/App.Services.csproj : error NU1101:
Unable to find package Library. No packages exist with this id in source(s): github, nuget.org [/home/runner/work/App/App/App.sln]
I understand that it is likely possible to work around this by adding a new Personal Access Token to the secrets of the App repository, but would prefer to rely on GITHUB_TOKEN if possible for both the security and management benefits.
According to GitHub, installing packages hosted with GitHub Packages requires minimal configuration using GITHUB_TOKEN. And by default, GITHUB_TOKEN has both read and write permissions for packages.
This question is different from this one as that relates to an issue with empty NuGet.config files which has since been resolved.

I hit the same problem, GITHUB_TOKEN can be used to push packages but not pull packages from other repos within the same organisation. This thread has a lot of people complaining about it: https://github.com/actions/setup-node/issues/49. I was unable to get any of the workarounds there working for me, and had no option in GitHub to grant specific permissions to repositories in the organisation for packages. Had to use a PAT in the end.

Related

dotnet restore fails to find package in private github package feed, when ran from a github workflow

We have some Nuget packages pushed to our organizations github package repository, and I am able to add those packages locally in my project, after I have added the github package source as an extra nuget source in my IDE (rider). For this, I use a pat-token.
So, everything works locally, and I can build everything fine. (combining nuget.org & our private feed).
The next logical step, is to leverage that package feed in our build pipeline in github actions... And that's where things fail...
This is the section in our github workflow, that I believe should work just fine:
FYI : I have not checked in a nuget.config file
- name: Restore dependencies
run: |
dotnet nuget add source --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github 'https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json'
dotnet restore ${{ inputs.sourcePath }}
The difference is that I am using the secrets.GITHUB_TOKEN, but according to the logs, the source is successfully added...
However, when the dotnet restore command runs, it seems the package cannot be found.
These are the logs:
Package source with Name: github added successfully.
Determining projects to restore...
/home/runner/work/mgmt-portal/mgmt-portal/src/Comp.AdminPortal.WebApp/Comp.AdminPortal.WebApp.csproj :
error NU1101: Unable to find package Comp.Backend.WebAPI.Client.
No packages exist with this id in source(s): github, nuget.org [/home/runner/work/mgmt-portal/mgmt-portal/src/Comp.ManagementPortal.sln]
Failed to restore /home/runner/work/mgmt-portal/mgmt-portal/src/Comp.AdminPortal.WebApp/Comp.AdminPortal.WebApp.csproj (in 3 sec).
Error: Process completed with exit code 1.
So, it seems it is not (yet?) possible to give specific permissions to the GITHUB_TOKEN. And in my case, the package was linked to another repo (not the repo in which I was running my pipeline.
So by default the GITHUB_TOKEN does not have access rights for the scope of package:read and it does not seem possible to give those, at first sight.
The workaround seems to be to use a personal access token, a PAT...

Restoring NuGet packages from another organization as an upstream feed in Azure DevOps

I have a project within one DevOps organization that has a dependency on a couple of NuGet packages that are hosted in a feed in another organization. Both organizations share the same Azure Active Directory tenant.
Following along with the documentation provided here I created a new view in my source feed called "Shared". On the setup for the view I have "All feeds and people in organizations associated with my Azure Active Directory" checked:
I then promoted both NuGet packages to that view:
In the other organization I have this feed set up to use the Shared view as an upstream source from another organization:
In my projects azure-pipelines Yaml file I have the following section for restoring packages:
And the associated nuget.config file looks like this:
The feed it is using is the one that belongs to the organization the project is in. My assumption based on the documentation is that the restore operation will look for the those 2 packages in the upstream source if they can not be found in the local feed or the public NuGet feed. However I am getting the following error during the restore process when running a build:
For each of these 2 packages I am getting:
No packages exist with this id in source(s): feed-{FeedName}, NuGet
All other packages restore fine. I've tried many variations of my build script and upstream settings to no avail. I'm pretty sure I have everything set up as the documentation has dictated. The docs don't really go into how your pipeline and nuget.config should be set so perhaps I have something incorrect there?
I had a comparable issue in the past with restoring packages. As possible solution, which worked in my case, I could suggest you try explicitly specifying Azure Artifacts Feed Id you're pulling packages from:
vstsFeed: {FEED_ID}

Github package successfully published, but not showing up in "Packages" section

I have a package that I published to Github package repository and it was successful, still, I am not able to see this package in the packages section
https://i.stack.imgur.com/WV7fr.jpg
https://i.stack.imgur.com/kGOFG.png
Please refer to the attached screenshots, as seen npm publish is successful.
What could I be missing?
Packages are not visible as releases, they will be visible in packages section for your organization:
https://github.com/orgs/ORGANIZATION/packages
For personal packages:
https://github.com/USER?tab=packages
Keep in mind that packages won't be visible under the repository "Packages" section until their name is the same as a repository. It doesn't matter that you publish it from this repository action.
In case you don't have a resository with such a name - it will be created for you by GitHub.
I have been experiencing the same thing since Yesterday. I haven't tried with an already released package, but I can confirm new packages are not appearing neither in the org/user packages tab nor in the packages section of the repository despite the fact npm says that they have been published successfully.
Once you released the package and updated the repo but the package is not showing in the repo as here
Steps to link library to repo
Go to your profile on GitHub https://github.com/{your_user_name}?tab=packages. you must see the list of packages like here.
Click on the package that you need to link to repo. You must get link to repo or go to this link https://github.com/users/{your_user_name}/packages/npm/{your_package_name}/settings
Select the library repo.
You can now view the packages on the repo too.
You can add
"repository": {
"type": "git",
"url": "git+https://github.com/<user>/<repo>.git"
},
to the package.json. This allows the package to be correctly "mapped" to the repo.
As a workaround, you could use their List Packages API using GitHub CLI:
Make sure to have a classic token with the minimum required scopes: repo, read:org and read:packages
Authenticate with GitHub CLI using by opening your terminal and execute the following command :
gh auth login
These are the options I choose:
What is your preferred protocol for Git operations?
HTTPS
Authenticate Git with your GitHub credentials?
Yes
How would you like to authenticate GitHub CLI?
Paste an authentication token
Paste your authentication token:
****************************************
After you are authenticated, run the following command:
gh api \
-H "Accept: application/vnd.github+json" \
"/orgs/{YOUR_ORG}/packages?package_type={TYPE}"
// Type can be one of: npm, maven, rubygems, docker, nuget, container
A json will be printed, grab the package id:
...
{
"id": 1234567,
"name": "...",
"package_type": "...",
"owner": {
"login": "...",
...
Adapt the link with the package ID and paste into your browser:
https://github.com/{$ORG}/{$PROJECT}/packages/{$ID}
This could be due to package visibility.
In my organization, we recently started having issues where new releases of some packages had severe read restrictions. The way I identified this issue was this:
In the context of my personal account (or whatever scope you are consuming the packages from), check the packages for whatever repo/org you are having problems with. In our case I could not see the newest version of a package that was reported as successfully pushed in CI.
Get someone with admin access, preferably to the organization (if the repo belongs to an organization), have them check the same thing, and compare results. In our case the org admins could see the latest versions of the package.
If having the above problems, they can be fixed (in the short-term) by setting the package visibility levels by someone with admin access to the organization.

Use Github Package Registry without authtoken

In my node project I would like to use both NPM and Github registries. The reason is that I use some packages as request or async, but I've made my own packages which are stored on Github Packges Registry.
I've tried to add #USERNAME:registry=https://npm.pkg.github.com/ in .npmrc, but I still need an authtoken. There is the problem: as it's for a continuous integration I don't want to use a token linked to a specific user.
So what could I do ?
Edit: I'm using Circle CI for my workflows.
You can use the default GITHUB_TOKEN associated with the repository that your workflow runs in.
If you are using a GitHub Actions workflow, you can use a GITHUB_TOKEN to publish and consume packages in the GitHub Package Registry without needing to store and manage a personal access token.
ref: https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#authenticating-to-github-package-registry
If you are not using GitHub Actions and running your build in a different CI tool then I don't think you have any choice but to use a Personal Access Token tied to a user account.

AppVeyor NuGet Restore failing to connect to private account repo

I am attempting to restore packages that I've uploaded to my AppVeyor account NuGet feed, yet it is failing to connect to the feed during the build.
In my appveyor.yml file I have:-
nuget:
account_feed: true
And I have confirmed that the account feed mentioned in the logs is the correct URL for my account feed.
I have also opened that feed by connecting to it using Visual Studio and entering my account credentials. When doing that, I have confirmed that the packages I'm trying to restore exist as expected.
However the build fails with this in the logs:-
https://ci.appveyor.com/nuget/xxxxxxxxxx-yyyyyyyyyyyy: Unable to load the service index for source https://ci.appveyor.com/nuget/xxxxxxxxxx-yyyyyyyyyyyy.
The HTTP request to 'GET https://ci.appveyor.com/nuget/xxxxxxxxxx-yyyyyyyyyyyy' has timed out after 100000ms.
NuGet Config files used:
C:\projects\MyProjectName\Source\NuGet.Config
C:\Users\appveyor\AppData\Roaming\NuGet\NuGet.Config
C:\ProgramData\nuget\Config\Microsoft.VisualStudio.Offline.config
C:\ProgramData\nuget\Config\ServiceFabricSDK.config
Feeds used:
C:\Users\appveyor\.nuget\packages\
https://www.nuget.org/api/v2
https://A-CUSTOM-EXTERNAL-NUGET-FEED-I-ALSO-ACCESS/nuget
https://ci.appveyor.com/nuget/xxxxxxxxxx-yyyyyyyyyyyy
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
C:\Program Files\Microsoft SDKs\Service Fabric\packages\
Note: The custom external NuGet feed should be unrelated. I have other packages that successfully restore from there before my build breaks with the private account repo attempt.
Is there something I'm missing that will allow me to connect to my AppVeyor account NuGet repo for the restoring of a package?
Could it have anything to do with the package itself?
AppVeyor has made some changes not allowing you to implicitly include your private account NuGet repository for public code respositories.
As in #ilyaf's answer, the discussion here confirms this, and says the following is the reason.
In previous implementation having this enabled and working for public
project was a vulnerability rather than a feature because on your
account feed you can have NuGet packages from both public and private
projects and anyone submitting PR to public build would have been able
to grab private packages from your account feed. It's fixed now.
So to still get this working, as mentioned in #Feodor Fitsner's comment, you need to configure a new nuget source mentioning your account's NuGet repo.
Here's what you need to do.
Go to the Project in AppVeyor that you're trying to build and select the Settings for that project. On the 'Environments' settings tab, add two new Environment Variables:-
'nuget_user'
'nuget_password'
...placing your AppVeyor credentials in the values for each of those.
In your appveyor.yml, add a new NuGet source under the install node.
install:
- nuget sources add -Name MyAccountFeed -Source <feed-url> -UserName %nuget_user% -Password %nuget_password%
...where <feed-url> is your NuGet feed URL.
Note: These two steps are defined in steps 2 and 3 or this doc.
https://www.appveyor.com/docs/nuget/#configuring-external-private-nuget-feed-for-your-builds
Now, ensure that you have account_feed and project_feed off for your build (otherwise the build will complain that there are duplicate feeds).
Do this by either deleting the following:-
nuget: account_feed:
OR ensure you have
nuget:
account_feed: false
project_feed: false
Your project should now build correctly, retrieving your NuGet packages from your NuGet account.
This, however, may be a workaround to what AppVeyor were trying to initially block with their change.
Please take a look at this discussion.