Azure documentation says that in a public project you can create a public feed. I did so and also scoped the feed to the organisation rather than project scoped, so that CICD for private projects can push packages to it.
However, selecting the feed and clicking on the "Connect to feed" button, then clicking the dotnet options, produces this.
Adding that nuget.config to a project then attempting to add a package from the feed fails. If we take the URL from the nuget.config and request it using a browser we get a 401 Forbidden.
Why?
Why is authentication required? It's supposed to be a public feed. Does public mean "any AAD identity, not just the ones for this organisation" ?
I can also reproduce your issue on my side, the cause of the issue is that you selected the Scope with Organization when you creating the feed.
According to the doc:
Only project-scoped feeds can be made public.
To fix the issue, just select the Scope with Project when creating the feed, it will work fine.
Related
I have created a Project scoped nuget feed in azure dev. I have some developers that I want them to be able to list/restore and read nuget packages so that they can add them in the projects they are working on.
I have added them in my organization (they are using an email address like outlook.com and gmail.com) without any project access and then from the nuget feed permissions I gave the permissions as Readers
When they try to run nuget list they get
Unable to load the service index for source https://pkgs.dev.azure.com/myorganizationname/e1f090d9-f848-428b-b774-7fd9dfc873ef/_packaging/Nuget-Test-Feed/nuget/v3/index.json.
Response status code does not indicate success: 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/e1f090d9-f848-428b-b774-7fd9dfc873ef' does not exist, or you do not have permission to access it. (DevOps Activity ID: 09410946-865a-4d69-9b05-f1fd1d668891)).
Why they are not be able to access this feed?
Project nuget feed in azure dev cannot be accessed from reader
That is because the Project-scoped feeds inherit the visibility of the project.
So, if the user is not added to the project, will not access the feed.
To resolve this issue, please try to add the user to the project.
As test, I add my test use as Project Readers:
Then my test user could access the feed:
These GitHub workflow badges that show the results of GitHub Actions display fine in e.g. the GitHub README.md or when pasted as the URL in a browser with a session hooked up to GitHub.
But when accessed from Confluence Cloud using the same URL (or from an incognito browser instance) GtHub returns a not found 404 which is not surprising.
Does GitHub have a setting such as the Azure one Azure Pipelines status badge not getting displayed in markdown to make the badges public? I haven't found one so far.
(On Jenkins this option is called "Grant ViewStatus permissions for Anonymous Users".)
PS
Did some more Googling this morning and found:
Getting the status of a badge from a private repository
Workflow/actions status badge giving 404 on private repo in an organization
but the solution in the second link doesn't work for me.
I have a public project in Azure DevOps that isn't public. The settings show the project is public, the organization security polices allow public projects, but no one can access the project unless they are a member of a team. Am I understanding this wrong? I thought non-members of a public project should be able to Browse the code base, download code, view commits, branches, and pull requests. They get a 401. How do I set up a project so anyone with a Microsoft login can at least download the code?
You may have visited the organization rather than the project.
When you make a project public, anyone can access the project, but only users in the organization can access the organization. So you need to go directly to the url of the project.
For example, to access project B in organization A, you need to visit https://dev.azure.com/{organization A}/{project B} instead of https://dev.azure.com/{organization A}.
Right now my NuGet restore fails since the project build user doesn't have contributor access to the package feed.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Unable to load the service index for source pkgs.dev.azure.com[..]index.json.
/usr/share/dotnet/sdk/3.0.100/NuGet.targets(123,5): error : Response status code does not indicate success: 403 (Forbidden - User 'xxxxxxx' lacks permission to complete this action. You need to have 'ReadPackages'.
The solution is to change the build authorization scope from current project to project collection. This seems very doable as seen here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/build/options?view=azure-devops
But where, in DevOps' myriad menus, can this scope be set?
EDIT 2023: The Artifacts UI in DevOps has changed since this answer and this answer is no longer valid. See J-M's answer on a similar question:
https://stackoverflow.com/a/73136309/5358731
There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html
In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:
Click "Artifacts" in the project with the failing build
Select the feed you were trying to consume in your build and click the cog in the top right corner
Click "Feed Settings"
Go to the Permissions tab
Click the 3 dots [...] that appeared to the right of the tab
Click "Allow project-scoped builds"
This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.
Full credit to Tim Lynch from the developer community page.
All answers are valid but it depends.
Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.
Then also remember Scoped build identities .
Azure DevOps uses two built-in identities to execute pipelines.
A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
A project-scoped identity, which has access to a single project
...
By default, the collection-scoped identity is used, unless the Limit
job authorization scope to current project is set in Project Settings > Settings.
With this in mind follow the next steps:
You need to check which identity is being used for your pipelines:
For me is project-scoped identity
Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)
No. 1 If the identity is collection-scoped
No. 2 If the identity is project-scoped
No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)
Remember again you need to use Owner or Contributor roles.
Go to your feed settings:
In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":
It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.
I have developed a tiny library that I chose to host on GitHub. The code is being built by a VSTS build and published as a NuGet package.
I have written a README.md file and I am trying to include a Build badge on it, as described in the Microsoft documentation. Consequently, I have added the following line in the MD file and replaced the placeholders accordindly:
The problem is that the link is not accessible to anyone that is not logged-in on VSTS and I end up with a 'broken' link on my readme page:
Question
What must be done to make the VSTS Build Badge available to a GitHub repo?
I suppose you must include an authentication token of sorts in order to have at least read-access to the VSTS build from your GitHub page.
Note that the documentation lists also multiple pending issues, including MicrosoftDocs/vsts-docs issue 1499:
Build status badge added to GitHub readme doesn't show up.
So this is still in progress.
On that last issue, it says:
This is due to public vs. private projects.
If you make your project public the image URL will render.
There are other potential workarounds we are looking at for the doc.
See "Change the project visibility, public or private".