fix: NuGet auth config layering to fix 401 on private feed in Docker#1062
Merged
BenjaminMichaelis merged 3 commits intomainfrom May 6, 2026
Merged
fix: NuGet auth config layering to fix 401 on private feed in Docker#1062BenjaminMichaelis merged 3 commits intomainfrom
BenjaminMichaelis merged 3 commits intomainfrom
Conversation
…pping Replace --configfile (which drops all other NuGet config) with copying a credentials-only file to ~/.nuget/config/credentials.config so NuGet merges it with the repo's nuget.config (including packageSourceMapping). - Add required=false to secret mount (explicit optional behavior) - Generate credentials-only config in CI (nuget.config remains single source of truth for feeds and packageSourceMapping) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Omit packageSources from the generated config so NuGet's config layering keeps nuget.config as the single source of truth for feed URLs and packageSourceMapping rules. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes Docker private-feed restore failures by switching from dotnet restore --configfile ... (which overrides the repo nuget.config, breaking packageSourceMapping) to NuGet config layering: a credentials-only config is injected during Docker builds so the repo nuget.config remains authoritative for feeds and source mapping.
Changes:
- Update Dockerfile to mount a NuGet auth secret (optional) and rely on NuGet’s config merge behavior instead of
--configfile. - Update the deployment workflow to generate a credentials-only NuGet config (no
<packageSources>section), preventing it from clobbering repo feed configuration.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| EssentialCSharp.Web/Dockerfile | Switches restore to layered NuGet auth config instead of --configfile; makes secret mount optional. |
| .github/workflows/Build-Test-And-Deploy.yml | Generates a credentials-only NuGet config for Docker secret injection (no package sources). |
Comment on lines
+21
to
+26
| RUN --mount=type=secret,id=nugetconfig,required=false \ | ||
| if [ "$ACCESS_TO_NUGET_FEED" = "true" ] && [ -f /run/secrets/nugetconfig ]; then \ | ||
| dotnet restore "EssentialCSharp.Web.slnx" --configfile /run/secrets/nugetconfig -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED; \ | ||
| else \ | ||
| dotnet restore "EssentialCSharp.Web.slnx" -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED; \ | ||
| mkdir -p ~/.nuget/config && \ | ||
| cp /run/secrets/nugetconfig ~/.nuget/config/credentials.config; \ | ||
| fi && \ | ||
| dotnet restore "EssentialCSharp.Web.slnx" -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED && \ |
Deleting ~/.nuget/config/credentials.config in the same RUN instruction ensures the PAT never appears in the final layer snapshot (create + delete in one RUN = net zero diff). Prevents credential leakage into BuildKit layer cache. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #1060 merged with the
--configfileapproach for Docker NuGet auth. This approach:nuget.configentirely (includingpackageSourceMapping)The fixup commit from the original PR branch was never applied to main.
Fix
Switch to NuGet config layering (NuGet 5.7+):
<packageSources>)~/.nuget/config/credentials.confignuget.configautomaticallynuget.configremains the single source of truth for feeds +packageSourceMappingChanges
Dockerfile:cp /run/secrets/nugetconfig ~/.nuget/config/credentials.configinstead of--configfile; addrequired=falseon secret mountBuild-Test-And-Deploy.yml: credentials-only generated config (no<packageSources>section)Testing
ACCESS_TO_NUGET_FEED=false(no auth needed, verifies image builds)