This repository contains a rich set of CI-CD demos where I show you how to:
- Connect to private nuget feeds; Azure, GitHub packages, and custom (eg Telerik).
- Build .NET apps and publish to a container registry; Docker, Azure, GitHub, etc.
Although I use Telerik's NuGet server because I have a license, these demos are good for any private feed type; just use your source URL and credentials instead!
- CI Systems
- Build Badges
- Videos
- Tips and Troubleshooting
- Related Blog Posts
| System | CI/CD file(s) |
|---|---|
| GitHub Actions | .github/workflows |
| Azure DevOps (YAML) | azure-pipelines.yml |
| Azure DevOps (classic) | click build badge |
| GitLab CI/CD | .gitlab-ci.yml ↗ |
| Project | GitHub Actions | Azure DevOps | GitLab CI |
|---|---|---|---|
| .NET MAUI |  |
||
| ASP.NET Core |  |
||
| ASP.NET Blazor |  |
 |
|
WPF (net48) |
 |
|
|
WinForms (net48) |
 |
||
| Console |  |
|
|
| WinUI 3 |  |
||
| Kendo Angular |  |
|
|
ASP.NET AJAX (net48) |
 |
- Docker and DockerHub integration:
- The
workflows/main_build-aspnetcore.ymluses a Dockerfile to build and publish a Linux image to DockerHub => lancemccarthy/myaspnetcoreapp.- Ex.
docker run -d -p 8080:8080 lancemccarthy/myaspnetcoreapp:latest - Ex.
docker run -d -p 8080:8080 lancemccarthy/myblazorapp:latest
- Ex.
- For a real-world example, visit Akeyless Web Target's docker-publish.yml, which builds and publishes the lancemccarthy/secretsmocker container image to Docker Hub.
- Ex.
docker run -d -p 8080:80 lancemccarthy/secretsmocker:latest
- Ex.
- The
- Azure DevOps: All statuses are for classic pipelines, except the
Consoleproject, which uses Azure DevOps YAML pipelines.
The following 4 minute video takes you though all the steps on adding a private NuGet feed as a Service Connection and consuming that service in three different pipeline setups.
- 0:09 Add a Service connection to the Telerik server
- 1:14 Classic pipeline for .NET Core
- 1:47 Classic .NET Framework pipeline
- 2:25 YAML pipeline setup for .NET Core
A common problem to run into is to think that the environment variable is the same thing as the GitHub Secret (or Azure DevOps pipeline variable). In this demo, I intentionally named the secrets a different name than the environment variable name so that it is easier for you to tell the difference.
However, I know that not everyone has the time to watch the video and just copy/paste the YAML instead. This will cause you to hit a roadblock because you missed the part about setting up the GitHub secret, Azure DevOps pipeline variable or . Here is a 2 screenshot crash-course on how to get back on track.
In your YAML, you probably have done this:
That mean you must also have the secrets in your Settings > Secrets list
You could also dynamically update the credentials of a Package Source defined in your nuget.config file This is a good option when you do not want to use a packageSourceCredentials section that uses environment variables.
# Updates a source named 'Telerik' in the nuget.config
dotnet nuget update source "Telerik" -s "https://nuget.telerik.com/v3/index.json" --configfile "src/nuget.config" -u '${{secrets.MyTelerikEmail}}' -p '${{secrets.MyTelerikPassword}}' --store-password-in-clear-textThat command will look through the nuget.config for a package source with the key Telerik and then add/update the credentials for that source.
The other approach is a bit simpler because you dont need a custom nuget.config file. Just use the dotnet nuget add source command
dotnet nuget add source 'https://nuget.telerik.com/v3/index.json' -n "AddedTelerikServer" -u ${{secrets.MyTelerikEmail}} -p ${{secrets.MyTelerikPassword}} --store-password-in-clear-textThe
--store-password-in-clear-textswitch is important. It does not mean the password is visible, rather it means that you're using the password text and not a custom encrypted variant. For more information, please visit https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials
You can use the same approach in the previous section. Everything is exactly the same, except you use api-key for the username and the NuGet key for the password.
Please visit the Announcing NuGet Keys blog post for more details how ot create the key and how to use it.
dotnet nuget update source "Telerik" --source "https://nuget.telerik.com/v3/index.json" --configfile "src/nuget.config" --username 'api-key' --password '${{ secrets.MyNuGetKey }}' --store-password-in-clear-textCaution
Protect your key by storing it in a GitHub Secret, then use the secret's varible name in the command
When using a Dockerfile to build a .NET project that uses the Telerik NuGet server, you'll need a safe and secure way to handle your NuGet crednetials and your Telerik License Key. This can be done my mounting a Docker secret.
In your GitHub Actions workflow, you can define and set docker secrets in the docker build step. Take a look at the following example, we using GitHub secrest to set two docker secrets telerik-nuget-key=${{secrets.MY_NUGET_KEY}} and telerik-license-key=${{secrets.MY_TELERIK_LICENSE_KEY}}.
- uses: docker/build-push-action@v3
with:
secrets: |
telerik-nuget-key=${{secrets.MY_NUGET_KEY}}
telerik-license-key=${{secrets.MY_TELERIK_LICENSE_KEY}}Now, inside the Dockerfile's build stage, you can mount and use those secrets. See Stage 2 in the following example:
### STAGE 1 ###
FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
WORKDIR /app
### STAGE 2 ###
FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
WORKDIR /src/MyApp
COPY . .
# 1. Mount the ecret and use it to add the Telerik server as a package source
RUN --mount=type=secret,id=telerik-nuget-key \
dotnet nuget add source 'https://nuget.telerik.com/v3/index.json' -n "TelerikNuGetServer" -u "api-key" -p $(cat /run/secrets/telerik-nuget-key) --store-password-in-clear-text
# 2. Restore NuGet packages
RUN dotnet restore "MyBlazorApp.csproj"
# 3. Mount the "telerik-license-key" secret as an env var and build the project
RUN --mount=type=secret,id=telerik-license-key \
TELERIK_LICENSE="$(cat /run/secrets/telerik-license-key)" \
dotnet publish "MyBlazorApp.csproj" -o /app/publish /p:UseAppHost=false --self-contained false
### STAGE 3 ###
# Build final from base, but copy ONLY THE PUBLISH ARTIFACTS from stage 2
FROM base AS final
WORKDIR /app
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "MyBlazorApp.dll"]Caution
Only set these sensitive values in the build stage or you risk leaking secrets in the final image. Please visit the complete Dockerfile and the workflow.
Depending on how you're building our code, there are several ways to introduce the Telerik License Key at the right time for the build. Let me show you two; variable and file.
This is by far the easiest and safest way. You can use a secret (GitHub Action secret or AzDO Variable secret) and set the TELERIK_LICENSE environment variable before the project is compiled.
In a YAML workflow/pipeline, you can set the environment variable at the beginning of the job or on a step that needs it.
GH Actions
- run: dotnet publish MyApp.csproj -o /app/publish /p:UseAppHost=false --no-restore
env:
TELERIK_LICENSE: ${{secrets.TELERIK_LICENSE_KEY}}Azure Pipelines YAML
- powershell: dotnet publish MyApp.csproj -o /app/publish /p:UseAppHost=false --no-restore
displayName: 'Build and publish the project'
env:
TELERIK_LICENSE: $(MY_TELERIK_LICENSE_KEY) # AzDO pipeline secret variableIf you're using classic pipelines, you can use a pipeline variable:
Important
License key length - If you are using a Library Variable Group, there is a character limit for the variable values. The only way to have a long value in the Variable Group is to link it from Azure KeyVault. If you cannot use Azure KeyVault, then use a normal pipeline variable instead (seen above) or use the Secure File approach instead (see below).
You have two options for a file-base option. Set the TELERIK_LICENSE_PATH variable or add a file named telerik-license.txt to the project directory. The licensing runtime will do a recursive check from the project directory to root, and then finally %appdata%/telerik/.
On Azure DevOps, there is a powerful feature called Secure Files. It lets you upload a file and then use it in a pipeline. Go to your Library tab, then select Secure File
After you've uploaded the Secure File to your Azure DevOps project, you can use it in a pipeline, liek this:
Caution
Never check in the telerik-license.txt file with your code and never distr4ibute it with your application/docker image.
With a YAML pipeline, you can use the DownloadSecureFile@1 task, then use $(name.secureFilePath) to reference it. For example:
- task: DownloadSecureFile@1
name: DownloadTelerikLicenseFile # defining the 'name' is important
displayName: 'Download Telerik License Key File'
inputs:
secureFile: 'telerik-license.txt'
- task: MSBuild@1
displayName: 'Build Project'
inputs:
solution: 'myapp.csproj'
platform: Any CPU
configuration: Release
msbuildArguments: '/p:RestorePackages=false'
env:
# use the name.secureFilePath value to set the special TELERIK_LICENSE_PATH
TELERIK_LICENSE_PATH: $(DownloadTelerikLicenseFile.secureFilePath) With a classic pipeline, you'll still use the same Task, but you must manually set the output variable's name
With the secure file downlaoded to the runner, you can copy it into the solution directory:
Caution
If you distribute the source code with your artifacts, make sure you delete the copied license.txt file immediately after the build step.
Ultimately, there are many routes to take, and you can choose th eone that best suits your CI-CD needs. What is most important is that you protect the key value/file as you'd protect any sensitive secret.