Issue with dotnet restore on GitHub Actions when accessing GitHub Packages

Question

I am facing an issue with a GitHub Actions workflow that involves dotnet restore. The repository is hosted on GitHub, and I'm trying to restore NuGet packages from a GitHub Packages source.

Here's a snippet of my GitHub Actions workflow YAML:

name: Build .NET 7 + Pack + Push NuGet

on:
  workflow_dispatch: # Allow running the workflow manually from the GitHub UI
  push:
    branches:
      - "main" # Run the workflow when pushing to the main branch
  pull_request:
    branches:
      - "main" # Run the workflow for all pull requests
  release:
    types:
      - published # Run the workflow when a new GitHub release is published

env:
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
  DOTNET_NOLOGO: true
  NuGetDirectory: ${{ github.workspace }}/out

defaults:
  run:
    shell: pwsh

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: read

    steps:
      - uses: actions/labeler@v3
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN}}
    
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Get all history to allow automatic versioning using MinVer

      - name: Setup .NET
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: 7.0.x

      - name: Add GitHub NuGet Source
        id: add-nuget-source
        run: |
          dotnet nuget add source https://nuget.pkg.github.com/user/index.json -n github -u user -p ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text
        continue-on-error: true

      - name: Restaurando Dependências
        run: dotnet restore
        #if: success() && steps.add-nuget-source.outputs.result == '0'

      - name: Build do Projeto
        run: dotnet build -c Release -o out
        
      #- name: Test
      #  run: dotnet test --no-build --verbosity normal

      # Publish the NuGet package as an artifact, so they can be used in the following jobs
      - uses: actions/upload-artifact@v3
        with:
          name: nuget
          if-no-files-found: error
          retention-days: 7
          path: ${{ env.NuGetDirectory }}/*.nupkg

  run_test:
    name: Rodando os Testes Unitários
    runs-on: ubuntu-latest
    needs: [build]
    steps:
      - uses: actions/checkout@v3
      - name: Setup .NET
        uses: actions/setup-dotnet@v3
      - name: Run tests
        run: dotnet test --configuration Release

  deploy:
    # Publish only when creating a GitHub Release
    # https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository
    # You can update this logic if you want to manage releases differently
    # if: github.event_name == 'release'
    runs-on: ubuntu-latest
    needs: [run_test]
    # Download the NuGet package created in the previous job
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: nuget
          path: ${{ env.NuGetDirectory }}

      - name: Publicando os pacotes Nuget
        run: |
          cd out
          dotnet nuget push "*.nupkg" --api-key "${{ secrets.NUGET_APIKEY }}" --source "${{ secrets.NUGET_SERVER }}" --skip-duplicate

The issue occurs during the dotnet restore step with the following error:

/usr/share/dotnet/sdk/8.0.100/NuGet.targets(156,5): warning : Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured. Retrying 'FindPackagesByIdAsync' for source 'https://nuget.pkg.github.com/user/download/package/index.json'.

Additional Information:

The NuGet packages are stored in a GitHub repository, and I have configured the workflow to use the GitHub token for authentication. The issue seems to be related to authentication during the dotnet restore step. I would appreciate any guidance on how to properly configure the GitHub Actions workflow to resolve this issue. Thank you for your assistance!

Answer 1

I got the same exact error message and managed to solve it by updating the ClearTextPassword in the packageSourceCredentials for github in the nuget.config with an active token that has the read:packages permission.

<packageSourceCredentials>
    <github>
        <add key="Username" value="YourUser" />
        <add key="ClearTextPassword" value="{yourTokenWithPackageReadPermissions}" />
    </github>
</packageSourceCredentials>

Answer 2

I'm using a package references to the org vs a repo.

You can use the nuget source add, as you did, but use a generated user PAT and store it in your repo or org actions/secrets instead of using GITHUB_TOKEN.

Odd for me that dotnet nuget push can use an api-key parameter that accepts GITHUB_TOKEN but dotnet restore seems not to be able to that token. Even with permissions: packages:read granted on the build steps does not work.

- name: Add Github Source
  run: dotnet nuget add source <https://your-package-source> --name <some-name>  --username ${{ github.actor }} --password ${{secrets.PACKAGE_REGISTRY_PAT}} --store-password-in-clear-text 

Answer 3

It seems there is a solution to your problem here: https://stackoverflow.com/a/78050829/8840033

If you are using GITHUB_TOKEN for automatic authentication you should know that you must explicitly give view permissions PER PACKAGE, PER REPOSITORY! So if you have a large volume of internal libraries you want to pull in to your solution you have to go in to each one and allow each package to be used by your new solution.

This takes a surprisingly large number of clicks in a large code base. I certainly hope they improve this process by granting permissions on an organization level for shared libraries, a bulk select, or command line way of granting permissions en masse.

Ensuring workflow access to your package

For example:

Alternatively, you can set your the visability of the package as internal: