Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

HOWTO: Approve and Promote Open-source Packages

view on GitHub

In ProGet, package promotion is simply a process of copying a package from one feed into another, and keeping a record of that promotion. This is a reliable way to ensure that only approved and verified packages are used in the right environments.

This article will walk you through a common scenario of promoting open-source NuGet packages. We'll use a feed proxing packages from NuGet.org for "unapproved" packages, and another feed for "approved" packages. We'll use NuGet packages in this example, but these steps can apply to any type of package.

Step 1: Create a new feed

The first thing we'll be doing is creating a NuGet feed where unapproved packages from "NuGet.org" are proxied using a connector. If you already have an existing NuGet package feed like this set up, you can skip to Step 3 to create a second feed for promoting your approved packages.

We start by selecting "Feed" and "Create New Feed."

Create New Feed

As we will be using packages from Nuget.org, we select "NuGet (.NET) Packages".

Create NuGet Feed

Step 2: Configure and name feed

After selecting the feed type, we’ll specify that the feed will connect directly to NuGet.org.

Nuget Connector

We then name our feed. In this example, we will name it public-nuget, as it will proxy OSS NuGet packages.

Name Public Feed

Finally, we select "Create New Feed", which will create and redirect us to our public-nuget feed, populated with OSS packages.

Public Feed Details

Step 3: Create a second feed

Now that our public-nuget feed has been created, we'll create a second feed for approved packages that have been promoted.

Just like in Step 1, start by selecting "Feed" and then "Create New Feed". Since we'll be promoting packages from our public-nuget feed, choose "NuGet (.NET) Packages".

Next, we'll indicate that this feed is for promoted packages by selecting "Validated/promoted NuGet (.NET) Packages".

Nuget Promoted

Again, we name our feed. This time, we'll name it approved-nuget.

Name Approved Feed

Select "Create New Feed" to create the approved-nuget feed and be redirected to it, ready to receive promoted packages.

Approved Feed Details

Step 4: Set Permissions

There are many ways to configure security access controls for uses and groups in ProGet. For this example, we want to permit only "Senior Developers" to promote packages to approved-nuget feed since they're trained to verify the quality, licenses, and vulnerabilities of open-source packages. To ensure this rule, we'll set up a new permission. By default, only "Administrators" have assigned permissions.

To start, we navigate to "Administration Overview" > "Manage Security".

Manage Security

We then navigate to the "Tasks/Permissions" tab, listing the currently configured permissions, and select "add permission".

Tasks / Permissions

Next, we will fill out the following dialog to give the "Senior Developers" user group permission to "Promote Packages" from the public-nuget feed.

Permit Senior Developers

Following the same steps, we will also give the "Developers" user group permission to "View and Download" packages from the approved-nuget feed.

Permit Developers

After saving these two privileges, our task overview page looks like this:

Overview

Step 5: Promote Packages

Promoting packages implies that someone approves a package, often after following an internal process that involves checking the license, vulnerabilities, and quality.

ProGet's integrated license and vulnerability scanning can help by automating the scanning and verification, but there's usually human judgment involved.

Example: Newtonsoft.Json

Most organizations would find the Newtonsoft.Json NuGet package to be acceptable in terms of license, vulnerabilities, and quality. This guide will demonstrate how we would promote this package.

We start by clicking the "version number" (in this case 13.0.3) to direct us to the package page, and then simply select "Promote Package" from the drop-down menu on the right side.

Select Promote Package

From here, we'll select our approved-nuget feed and fill out the dialog box with any comments, and finally select "Promote".

Promote Package in ProGet

After clicking "Promote", the package will now be available in the approved-nuget feed for all "Developers" to view and download.

Approved Feed

Package promotion can also be done using the Package Promotion API. The API usage is limited to paid users, however.


Viewing Promotion History

ProGet keeps a package history that outlines what actions were taken by whom. For example, to view the history of the "Newtonsoft.Json" package, we navigate to the package page and click the "History" tab.

Promotion History

The history tracks over both feeds, and shows us that we promoted this package from public-nuget to approved-nuget.

Advanced: Repackaging

Package promotion can also be used with prerelease packages and repackaging. This is best for packages developed in-house, and is done by creating a CI package, repackaging it to an RC package, and then repackaging and promoting it once more to a stable package in a different feed.