Posted by Today we are going to consume a NuGet package from GitHub Packages, and configure Dependabot to update from our GitHub repository. In our last post, we reviewed how to create and publish a NuGet package to GitHub Packages. At times, the whole NuGet ecosystem gets a bit confusing here, so we are going to break it down how to do this step by step.
Why we can’t set the package up in Visual Studio
First step, after opening Visual Studio, we look at our NuGet package settings. While we can see the settings to configure a connection to GitHub packages, there is nowhere to setup the authentication. If we fill this out, we will receive 401 access denied errors.
Instead we have to create and configure our own NuGet.config file. NuGet.config files can be confusing. To use them, you need to add them at the solution folder level – not the project, and this is a problem – as now we are adding a clear text password to our source code – which we know is a big no no.
Instead, we can use the “dotnet nuget add source” command to process our password into an encrypted secret – unique for our machine and user, which is generated in the “%appdata%\NuGet\NuGet.Config” folder, which is used if there is no NuGet.config file in the solution folders. This is great, as it isn’t in our solution folder and won’t be pushed to the repository. The disadvantage here is that we will need to run this for each team member in our development team. The syntax for us is below:
dotnet nuget add source "https://nuget.pkg.github.com/SamSmithNZ-dotcom/index.json" --name "githubfeed" --username "samsmithnz@gmail.com" --password "[MyPassword]"
There are a number of parameters here, we will look at in detail
- First, we use the keyworks “dotnet nuget add source”, which will generate the NuGet.config file
- The next section is the json file that references the NuGet package in GitHub packages, for us it’s a personal organization we created
- Next we name it anything we like, we named it “githubfeed” – this is what we will see in Visual Studio later
- Then we add the user name and password. The password will be a PAT (Personal Access Token) token, scoped to read packages only. What password should we use? Let’s talk about the PAT Token
Generating the PAT token
A PAT token is a developer token, essentially a password, that is scoped to only access specific resources for a period of time – generally 30-60 days. The PAT token is powerful, as very useful for automation. Note that it’s generated for an account – and can therefore access all repositories in that account. We generate the PAT token in our GitHub account settings. Click on your profile picture in the top right, and then select “Settings”
Once in settings, we select the “Developer Settings” section, right at the very bottom.
Now in developer settings, we select “Personal Access Tokens” and click the “Generate new token” button.
This is where we create the token, naming it, selecting an expiration date (an expiration is highly recommended), and checking only the “read:packages” scope.
This generates a string that only shows once – make sure you copy it, as we will need it a few times today. Remember that this IS considered a password, and should be treated as one.
Creating the NuGet.config file
Now in our PowerShell window, we can create the NuGet file with a good password:
Back in Visual Studio, with the NuGet.config file in our appsettings, we will be able to see the connection to our GitHub packages, and can add the packages we published earlier.
Using with GitHub Actions
Now that we have our local development environment setup, we need to replicate this in GitHub actions. This is straight forward. Before our “dotnet restore”, we add the “dotnet nuget add source” line. We have a choice here. We can use the GITHUB_TOKEN – which will give us permission to access packages in the repository. If you need to access the package in ANOTHER repository, you should use the PAT token we generated before. After adding these lines anytime before we use “dotnet”, we have injected the package into the build
dotnet nuget add source "https://nuget.pkg.github.com/SamSmithNZ-dotcom/index.json" --name "githubfeed" --username "samsmithnz@gmail.com" --password "${{ secrets.GITHUB_TOKEN }}"
dotnet restore SamSmithNZ/SamSmithNZ.Service/SamSmithNZ.Service.csprojHere is a completed example for context. You can also see the entire action here.
Updating Dependabot
What about Dependabot? How do we keep these dependencies up to date in our projects? How does Dependabot know how to access our GitHub NuGet package? We need to make some edits to our Dependabot file.
There are two main sections here we need to look at, (the entire Dependabot file is visible here). Lines 2-10 setup the downstream repositories that Dependabot will be looking at. We found that once you add one package reference, (lines 3-7), you have to be explicit and add the core NuGet.org feed too (see lines 8-10). Looking closer to lines 3-7, you will see on line 7, we had to add a special Dependabot secret, we will look at this more shortly. The only other change from a regular Dependabot configuration, is lines 14-16, where we specified that this project needs to use both repositories
Let’s look at that Dependabot secret. In our repository settings, in the secrets section, there is a special Dependabot section for secrets. This is where we added the new secret, pasting in our PAT token we generated earlier again
Wrap up
That is it! Today we connected to our published GitHub package, updated our GitHub Action to consume it in CI/CD, and finally update our dependency supply chain with Dependabot! This was definitely more involved than we thought, and we ended up learning a lot about NuGet.config files – that Visual Studio typically largely manages for us!
References
- NuGet Add Source docs: https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-add-source
- Location of NuGet file: https://stackoverflow.com/a/42739820/337421
- Dependabot private registries: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#registries
- Secrets in Dependabot: https://github.blog/2021-03-15-dependabot-private-dependencies/
Sam Learns Azure 
One correction. The place isn’t “%appdata%\NuGet\NuGet.Config”
It’s “%appdata%\Roaming\NuGet\NuGet.Config”
LikeLike
You aren’t wrong – when I paste the above link into my explorer, it redirects to the Roaming location.
LikeLike
Yep.. I just realized that.. I was going to delete my comment..
The path is “C:\Users\Use name\AppData\Roaming\NuGet\Nuget.Config”, but using Ctrl + R you have to use “%appdata%\NuGet\NuGet.Config”.
This won’t work in Ctrl + R “%appdata%\Roaming\NuGet\NuGet.Config”
LikeLike
Yeh, you are right, if I paste in %appdata%\Roaming\NuGet to my explorer it can’t find the location. I’m going to leave it as it is for now, as it technically gets you to the right location. 🙂
LikeLike