Home: NuGetSdkResolver doesn't respect pivots that come through msbuild properties (example --config-file, RestoreSources)

This is becoming kind of challenge, because restore itself has various configuration pivots that likely don't work with the SDK resolver.

--config-file is one. I imagine RestoreSources & similar msbuild settings for NuGet don't work.

I'd imagine the whole list from https://github.com/NuGet/Home/wiki/%5BSpec%5D-NuGet-settings-in-MSBuild is an issue.

And that'll continue to be a moving target in the future.

//cc @rrelyea

Anything settings coming from MSBuild will not work with the SDK resolver because the project has not been evaluated yet. So no properties or items are loaded to even pass along. The feeds must be defined in the root nuget.config and auth tokens will have to be in that file that can be found by the SDK resolver or the credential provider needs to get them.

We could possibly plumb the custom path to the nuget.config to the SDK resolver but that wouldn't be available until 16.1 at the earliest. I would like to find a workaround that unblocks people immediately.

Doesn't the newer credential provider use environment variables to pass along auth tokens? Editing the nuget.config in a temp directory and then passing the path to dotnet.exe restore or nuget.exe seems less stable than setting env vars that the credential provider can pick up.

A similar issue was raised in #8183

What the current state of this issue? We (.NET Core) are running into this as well and are curious what the current thinking is.

cc/ @jcagme

No progress has been made on it.

Note that this scenario adds some inconvenient coupling so if you can at all avoid it, please do so.

You are saying we should not try restoring SDK packages from a private feed?

Don't specify the config file directly & allow the tooling to discover it by convention.

If you put the config file at the repo root and/or near the solution files, ti will be discovered by the tooling automatically.
You can disable other cascading configs interfering with yours by adding clear tags like the ones we use in the NuGet Client repo.
https://github.com/NuGet/NuGet.Client/blob/dev/NuGet.Config

Well, at least for our case explained here we don't pass in the location of nuget.config and use the one in the root. Since we are trying to restore packages from a private AzDO feed, probably cred provider is doing that under the covers?

The cred providers were enabled for the sdk resolver so that should be working the same as regular restore.

I'm not sure why it's having trouble detecting the plugin however.
It should be under ~/.nuget/plugins

I should note that the Azure Pipelines DotNetCoreCLI task does not use the credential provider today. It uses a flow where it generates a temporary config, and passes --configfile to dotnet. That means that the DotNetCoreCLI task definitely won't work today with MSBuild SDKs in authenticated feeds.

If I understand correctly, @jcagme might be seeing _another_ issue where nuget doesn't invoke the credential properly for MSBuild SDKs. I think we need to investigate that further - I haven't had a chance to look into that yet.

The cred providers were enabled for the sdk resolver so that should be working the same as regular restore.

I'm not sure why it's having trouble detecting the plugin however.
It should be under ~/.nuget/plugins

Yes, the installation script put the plugin in ~/.nuget/plugins/netcore

I should note that the Azure Pipelines DotNetCoreCLI task does not use the credential provider today. It uses a flow where it generates a temporary config, and passes --configfile to dotnet. That means that the DotNetCoreCLI task definitely won't work today with MSBuild SDKs in authenticated feeds.

If I understand correctly, @jcagme might be seeing _another_ issue where nuget doesn't invoke the credential properly for MSBuild SDKs. I think we need to investigate that further - I haven't had a chance to look into that yet.

Yeah, for our builds we don't use the task but use dotnet restore directly. This is what I've done:

Windows

1. Run installation script
2. Run build script
   Output: successfully restored packages in private feed

Mac

1. Run installation script
2. Run build script
3. Since things didn't work, installed VS for Mac and signed in using my [at]microsoft account
4. Run build script
   Output:
   /Users/jcagme/code/jcagme/arcade/Directory.Build.props(3,3): warning : Unable to load the service index for source https://xxx.pkgs.visualstudio.com/_packaging/xxx-test/nuget/v3/index.json. /Users/jcagme/code/jcagme/arcade/Directory.Build.props(3,3): error : Unable to find package Microsoft.DotNet.Arcade.Sdk. No packages exist with this id in source(s): dotnet-core, nuget.org /Users/jcagme/code/jcagme/arcade/Directory.Build.props(3,3): warning : The plugin credential provider could not acquire credentials. Authentication may require manual action. Consider re-running the command with --interactive fordotnet, /p:NuGetInteractive="true" for MSBuild or removing the -NonInteractive switch forNuGet

Azure DevOps build agent

1. Run installation script
2. Run build script
3. Run build script
   Output: same as in Mac

Is it possible your VSS_NUGET_EXTERNAL_FEED_ENDPOINTS envvar isn't getting set or is incorrect?

If it's a domain account perhaps the windows case is working because it's silently / non-interactively authenticating and thus doesn't need VSS_NUGET_EXTERNAL_FEED_ENDPOINTS? Not sure what identities are in play here for you.

I thought that to be the case but I then included a step to echo the variable value and it is correct. It looks like {"endpointCredentials": [{"endpoint":"https://pkgs.dev.azure.com/xxx/_packaging/xxx-test/nuget/v3/index.json", "password":"<BotPAT>"}]}

BotPAT is the PAT of an account I explicitly added as a contributor of the feed.

Unable to load the service index for source https://xxx.pkgs.visualstudio.com/_packaging/xxx-test/nuget/v3/index.json

{"endpointCredentials": [{"endpoint":"https://pkgs.dev.azure.com/xxx/_packaging/xxx-test/nuget/v3/index.json", "password":"<BotPAT>"}]}

pkgs.dev.azure.com/\

True, although https://pkgs.dev.azure.com/xxx/_packaging/xxx-test/nuget/v3/index.json is what I have in nuget.config in Windows (the one which works) and also that's what I get in Azure DevOps artifacts "Connect to feed". Should I attempt https://xxx.pkgs.visualstudio.com/_packaging/xxx-test/nuget/v3/index.json?

It must match up exactly between nuget.config and endpointCredentials. Putting both forms into endpointCredentials won't hurt.

0>F:\workspace\_work\1\s\artifacts\toolset\restore.proj : error : Unable to load the service index for source https://pkgs.dev.azure.com/xxx/_packaging/xxx-test/nuget/v3/index.json. 0>F:\workspace\_work\1\s\artifacts\toolset\restore.proj : error : Unable to load the service index for source https://xxx.pkgs.dev.azure.com/_packaging/xxx-test/nuget/v3/index.json.

It fails with both endpoints. Both endpoints live in nuget.config

@jeffkl
Do you think the general problem is still something we should try to address?
Specifically

Anything settings coming from MSBuild will not work with the SDK resolver because the project has not been evaluated yet. So no properties or items are loaded to even pass along.

The only thing we could plumb through would be global properties since they are loaded before a project is evaluated. You could then set the global property via the command-line or Directory.Build.rsp. We will never be able to use project properties in the SDK resolver since there is no way to "peek" ahead.

The issue for this proposed feature is here: https://github.com/microsoft/msbuild/issues/2095