Upstream Sources in Azure Artifacts

Understanding and Configuring Upstream Sources

Azure Artifacts allows you to connect to public registries like NuGet.org, npmjs.com, Maven Central, and Python Package Index (PyPI) as upstream sources. This enables you to use packages from these public sources directly within your Azure Artifacts feeds, consolidating your package management and providing a single point of truth for your dependencies.

Why Use Upstream Sources?

Centralized Dependency Management: Access public and private packages from a single feed.
Performance: Caching packages from upstream sources can significantly improve build times.
Security and Compliance: Control which upstream packages are available to your organization.
Offline Access: Packages are cached locally for faster retrieval and availability even when upstream is inaccessible.

Setting Up an Upstream Source

Step 1: Navigate to Your Feed

Go to your Azure DevOps project.
In the left-hand navigation pane, select Artifacts.
Choose the feed you want to configure. If you don't have one, create a new feed.

Step 2: Access Feed Settings

Once you've selected your feed, click on the Feed settings gear icon.
This will open the feed settings pane.

Step 3: Add an Upstream Source

In the feed settings, select Upstream sources from the left menu.
Click on Add upstream.
Choose from the predefined public registries (NuGet Gallery, npmjs, Maven Central, PyPI) or select Upstream (new) for a custom source.
For public registries, a name and the corresponding URL will be pre-filled.
For custom sources, provide a descriptive Name and the URL of the upstream registry.
Optionally, configure authentication if the upstream source requires it.
Click Save.

Important: When you add an upstream source, Azure Artifacts automatically sets the feed's visibility to "Upstream" for new packages. This means that if a package isn't found in your feed, Azure Artifacts will attempt to retrieve it from the configured upstream sources and cache it in your feed.

Step 4: Verify Upstream Sources

After saving, you should see your newly added upstream source listed under Upstream sources. You can reorder upstream sources to prioritize certain registries if you have multiple configured.

Step 5: Using Packages from Upstream

Once configured, you can connect your development tools (like NuGet Package Manager, npm, Maven, pip) to your Azure Artifacts feed. When you request a package that isn't in your feed, Azure Artifacts will fetch it from the upstream source and make it available.

Example: Connecting to NuGet with Upstream

To connect your .NET project, you'll typically modify your NuGet.Config file:

<configuration>
  <packageSources>
    <add key="MyAzureArtifactsFeed" value="YOUR_AZURE_ARTIFACTS_FEED_URL" />
    <!-- Other sources like nuget.org can be commented out or removed if desired -->
    <!-- <add key="NuGetOrg" value="https://api.nuget.org/v3/index.json" /> -->
  </packageSources>
</configuration>

Replace YOUR_AZURE_ARTIFACTS_FEED_URL with the actual URL provided in your Azure Artifacts feed settings.

Managing Upstream Sources

You can edit, disable, or remove upstream sources at any time from the feed settings. Reordering upstream sources is also possible, which dictates the order in which Azure Artifacts checks for packages when they are not found in the primary feed.

Conclusion

Upstream sources are a powerful feature of Azure Artifacts that streamlines package management, enhances build performance, and improves the security posture of your development workflows. By integrating public registries, you ensure that your team has access to the necessary dependencies while maintaining centralized control and visibility.