Search code examples
.netcontinuous-integrationnugetgithub-actions

Hide clear text password in nuget.config from source control

I have a nuget.config file that looks like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <clear />
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
        <add key="github" value="https://nuget.pkg.github.com/mycompany/index.json" />
    </packageSources>

    <packageSourceCredentials>
        <github>
            <add key="Username" value="username" />
            <add key="ClearTextPassword" value="password" />
        </github>
    </packageSourceCredentials>

    <packageSourceMapping>
        <packageSource key="github">
            <package pattern="MyCompany.*" />
        </packageSource>

        <packageSource key="nuget.org">
            <package pattern="*" />
        </packageSource>
    </packageSourceMapping>
</configuration>

This file is checked in to source control and includes the clear text password. I don't want the password to be visible in source control. I use GitHub Actions for building the project. Is it possible to use a secret/env variable to replace the password?

Solution

  • Option 1: credentials in user-profile nuget.config

    As NuGet's docs on its config files states, NuGet reads multiple nuget.config files and "accumulates" them.

    Therefore, you can have your repo nuget.config contain the <packageSource> and <packageSourceMapping> sections, but move the <packageSourceCredentials> to your user-profile nuget.config (or another nuget.config in the parent directory of your repo, so it's not in source control), and this way your repo nuget.config won't have any credentials saved in it

    Option 2: Use environment variable substituion for the credential value

    The docs for nuget.cofig's packageSourceCredentials has a few examples, and the second of which shows using a %name% substituion to get the value from an environment variable. For example:

        <packageSourceCredentials>
        <github>
            <add key="Username" value="username" />
            <add key="ClearTextPassword" value="%EnvironmentVariableName%" />
        </github>
    </packageSourceCredentials>

    Option 3: Use NuGet's convention-based environment variable

    Using this option, your nuget.config should not have the <packageSourceCrededentials> section at all.

    NuGet has supported this for many years, but appears to have been undocumented until recently. You can set an environment variable NuGetPackageSourceCredentials_{name} with value Username={name};Password={secret}.

    For example, given your example nuget.config defines a source <add key="github" value="https://nuget.pkg.github.com/mycompany/index.json" />, then set the environment variable NuGetPackageSourceCredentials_github to value Username=username;Password=password.