Skip to content

How to use a secure NuGet sources in Visual Studio

Overview

This article provides an overview of the for using basic authentication to restore GMS² NuGet packages in your CI (Continuous Integration) workflow.

Storing a NuGet Key

Danger

Never check in a NuGet Key with your source code or leave it publicly visible in plain text, for example, as a raw key value in a nuget.config file.

To protect the NuGet Key, store it as a secret environment variable when using project-level package registry of the gitlab.

  1. In the root of your project, create a file named nuget.config.

  2. Add this content:

    Setting names are case-insensitive, and values can use environment variables.

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="GMSS Gitlab NuGet Source" value="https://gitlab.com/api/v4/groups/89584519/-/packages/nuget/index.json" />
    <add key="local" value="./deps" />
  </packageSources>
  <packageSourceCredentials>
    <GMSS_x0020_Gitlab_x0020_NuGet_x0020_Source>
      <add key="Username" value="%GITLAB_NUGET_USERNAME%" />
      <add key="ClearTextPassword" value="%GITLAB_NUGET_PASSWORD%" />
    </GMSS_x0020_Gitlab_x0020_NuGet_x0020_Source>
  </packageSourceCredentials>
  <config>
    <add key="repositoryPath" value="./deps" />
  </config>
</configuration>

  3. In the directory where you created the nuget.config file, make sure to create a folder called deps to manage local packages.

  4. You can set environment variables on your development machine

    Set GITLAB_NUGET_USERNAME environment variable to gitlab+deploy-token-pkg-readonly value.

    setx GITLAB_NUGET_USERNAME "gitlab+deploy-token-pkg-readonly"

    Repeat same action for GITLAB_NUGET_PASSWORD envrionement variable.

    setx GITLAB_NUGET_PASSWORD "<use-gmss-gitlab+deploy-token-pkg-value>"

    Set GITLAB_NUGET_USERNAME environment variable to gitlab+deploy-token-pkg-readonly value.

    export GITLAB_NUGET_USERNAME="gitlab+deploy-token-pkg-readonly"

    Repeat same action for GITLAB_NUGET_PASSWORD envrionement variable.

    export GITLAB_NUGET_PASSWORD="<use-gmss-gitlab+deploy-token-pkg-value>"

Using Only CLI Commands

You can use the CLI add source (or update source) command to set the credentials of a package source. This CLI approach is applicable if your CI system doesn't support default environment variable secrets or if you do not use a custom nuget.config.

dotnet nuget add source 'GMSS Gitlab NuGet Source' --source 'https://gitlab.com/api/v4/groups/89584519/-/packages/nuget/index.json' --username '${GITLAB_NUGET_USERNAME}' --password '${GITLAB_NUGET_PASSWORD}' --configfile './nuget.config' --store-password-in-clear-text