We want to build a csproj project.
Because we will be using the package internally for development and
deliver it to an external company too we decided to create 2 packages/2 feeds.
Packages are created using the csproj file.
For the public feed we build using Release configuration.
For the private feed we build using Debug configuration + Symbols.
This will output 2 packages (*.symbols.nupkg and *.nupkg)
o What is advised to maintain code privacy but still have a good developer experience?
o What do I publish to the feed for Debug?
o Can I install both public/private package somehow, if not, what is advised?
o How does nuget decide on priority if I have both public and private feed in VS?
o If we start replacing the references by assembly with the nuget package and package that project, will it include the dependencies in the nuspec file?
If the external company can access to the public feed, just use the public feed can save your energies.
You can push your nuget packages to one place (the public feed), it will be convenient to manage and maintain the package, and developers from the external company can also get the package from the public feed. And it’s also the common way to use.
If the external company can not access to the public feed, or you just want to manage the package in two separate feeds
There will have the questions as you list (the main point is packages in private feed and public feed are equal):
Any of the packages (name.symbols.nupkg and name.nupkg) can be pushed to the private feed since the contents of the two packages are same. The only difference is the names.
You can not install the package both from public feed and private feed. After install the package from one feed, when you search the package in the other feed, it will show the package has installed. And it’s the same result to install the package from any of the two feeds.
Related
We are setting up github for our org and will have a lot of nuget packages we want to share between different projects. From my understanding you should be able to enable teams to set the access level for packages they create by following this : https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#container-creation-visibility-for-organization-members
After the teams have been granted the right to create internal and public packages, I can't figure out how they actually do it. Ideally that should be a setting when publishing the package, but I haven't found it. Further down on the same page it describes how to change the visibility manually, but I don't have that option and I'm the owner of the organization.
So how do I publish an internal package to github package registry?
I have an Azure Pipelines job setup to authenticate to a private NuGet feed in Azure Artifacts, and then build my .NET project that relies on a NuGet package in the feed. However, my private package is a pretty common name. How can I ensure that it only installs that specific package from my private feed, and doesn't try to fallback to the NuGet general gallery? I do not want it to pull in an incorrect package that has the same name and version name as my private package.
Once you configure multiple sources/feeds, NuGet will look for a package in all these sources together with no guarantee of where the package will be downloaded from. However, you could make the AzDo artifacts feed as the only configured feed and then upstream other sources from it. This way NuGet will get all packages from the configured AzDo artifacts source and AzDo artifacts will source other packages not available with it from the upstreamed sources in the order defined. More info can be found here: https://learn.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops
Is it possible to change package visibility from private to public and vice versa?
In documentation there is a statement:
Private and public software packages: You can host packages privately or make them public. You can host packages privately and share them with your coworkers or organization, or make them public for the entire world.
But I can't find any setting in the repo or info in documentation on how to make the package public.
Use case I'm trying to achieve: Private repository with SDK source code and public (stable releases) / private (internal testing) packages.
We can just make a separate public repo with public releases, but it's a bit overhead and breaks the main idea of hosting code and packages in one place:
GitHub Package Registry is a software package hosting service, similar to npmjs.org, rubygems.org, or hub.docker.com, that allows you to host your packages and code in one place.
Will appreciate any help and information.
As you suspected there is no way to set the visibility on a package basis at the moment. It is based on the visibility of the repo.
From the launch notes:
Packages on GitHub inherit the visibility and permissions associated with the repository, and organizations no longer need to maintain a separate package registry and mirror permissions across systems.
There are restrictions in place, mostly oriented around public packages. Github doesn't want people to delete or make private, packages that are public as others may be dependent on them. So you can't delete a public package, even via the GraphQL API (private packages only may be deleted)
If the repo has been forked from a public repo, you can't change the repo to a private one (and thus make the package private). You would have to duplicate the repository and so it becomes a different repo.
So, try not to make mistakes when publishing :-)
There are organization level permissions for packages. When under organization, make sure to enable what you need.
Settings -> Packages -> Packages Permissions -> Package Creation
After that go back to organization home, Packages tab -> Click the package you want to change visibility -> Package Settings (See picture below)
I have a NuGet package in one private NuGet Feed. I want to include that NuGet package in a different private NuGet Feed. How do I add a package to NuGet from my local computer?
Thank you
It depends on the feed you want to add the package to. If it's an HTTP feed that supports the NuGet protocol, like nuget.org or an Azure Devops Artifacts feed, then you can use nuget.exe push. Some HTTP feeds may have a web page you can use to upload the package to. If you have a local file feed (even if it's a network share, it's still operating system file IO), then you can use nuget add, but nuget push may work as well.
Unless you give us more information about your private feed, we can only give you this generic advice.
I created the feed to store private npm package there.
When I publish my private package from the project - some another public packages are published to this feed.
Can I somehow prevent publishing of public packages to the feed?
Is it ok to store public packages on the VSTS feed?
Daniel Mann is correct - you most likely have the npmjs upstream source. Because npm only supports a single registry, the upstream source is required to use both public and private packages in the same project. This is by design and recommended by the Azure Artifacts team. The "Source" column on your package list should show that these packages come from npmjs directly.