Azure Artifacts Usage

Azure Artifacts allows you to create, host, and share packages with your team. It integrates seamlessly with Azure DevOps, enabling you to manage dependencies for various package types, including NuGet, npm, Maven, and Python packages.

Getting Started with Azure Artifacts

This section will guide you through setting up and using Azure Artifacts for your projects.

Prerequisites

• An Azure DevOps organization and project.
• Permissions to manage feeds within your project.

Creating a Feed

A feed is a repository for your packages. You can create public or private feeds.

Connecting to Your Feed

Once your feed is created, you need to configure your development tools to connect to it.

For NuGet Packages (using dotnet CLI)

1. Add your feed as a NuGet source:

   dotnet nuget add source "https://pkgs.dev.azure.com/[YourOrganization]/_packaging/[YourFeedName]/nuget/v3/index.json" --name "[YourFeedName]" --store-password-in-clear-text

   Replace [YourOrganization] and [YourFeedName] with your actual Azure DevOps organization and feed names.

2. Authenticate (if prompted):

   You might be prompted for your Azure DevOps credentials. Use a Personal Access Token (PAT) with appropriate permissions (e.g., Packaging Read) for better security.

3. Restore packages:

   dotnet restore

For npm Packages

1. Configure .npmrc:

   In the root of your project, create or modify the .npmrc file.

   registry=https://pkgs.dev.azure.com/[YourOrganization]/_packaging/[YourFeedName]/npm/registry/
   always-auth=true
   

   You may need to add authentication details depending on your setup, often handled by the azure-devops-cli or a specific npm credential provider.

2. Install packages:

   npm install

Publishing Packages

Publishing your own packages to Azure Artifacts is straightforward.

Publishing a NuGet Package

1. Build your package:

   dotnet pack --configuration Release

2. Publish to your feed:

   dotnet nuget push bin/Release/[YourPackageName].[YourPackageVersion].nupkg --source "[YourFeedName]" --api-key AzureDevOps

   The --api-key value can be anything when pushing to Azure Artifacts, but AzureDevOps is a common convention.

Publishing an npm Package

1. Login to your feed:

   Use the Azure DevOps CLI extension or manually configure authentication in your .npmrc.

   npm login --registry https://pkgs.dev.azure.com/[YourOrganization]/_packaging/[YourFeedName]/npm/registry/

   You will be prompted for username and password (use a PAT for the password).

2. Publish:

   npm publish

Using Upstream Sources

Upstream sources allow your feed to pull packages from external registries. This acts as a centralized cache for your project dependencies.

• When creating a feed, you can select pre-configured upstreams like npmjs.com, NuGet.org, PyPI.org, or add custom ones.
• When a package is requested from your feed but not found, Azure Artifacts checks the configured upstreams. If found, it downloads and caches the package in your feed, making subsequent requests faster.

Permissions and Access Control

You can manage who can contribute to and consume packages from your feeds:

• Feed administrators can manage feed settings and permissions.
• Permissions can be granted to individual users or Azure AD groups.
• Common roles include Contributor (to publish packages) and Reader (to consume packages).

Best Practices

• Use descriptive names for your feeds.
• Leverage upstream sources to manage external dependencies efficiently.
• Use Personal Access Tokens (PATs) with least-privilege permissions for authentication.
• Consider a release feed strategy, where you publish stable versions to a dedicated release feed.
• Regularly review feed permissions.

Azure Artifacts is a powerful tool for managing your software supply chain within Azure DevOps. By following these steps, you can effectively host and consume packages, improving your team's productivity and the consistency of your build and release pipelines.