HOWTO: Approve and Promote Open-source Packages
  • 18 Jan 2022
  • 4 Minutes to read
  • Dark
  • PDF

HOWTO: Approve and Promote Open-source Packages

  • Dark
  • PDF

How to Approve and Promote Open-source Packages in ProGet

In ProGet, package promotion is simply a process of copying a package from one feed into another, and keeping a record of that promotion. There are generally two situations when you would want to promote a package.

  1. You have an open source package that's passed its verification process (i.e. acceptable license, no severe vulnerabilities, and high quality).
  2. You have an in-house package that's passed testing and is ready for production.

Without package promotion over multiple feeds, it's difficult (if not impossible) to ensure only approved and verified packages are used in the right environments.

This article will walk you through a common scenario of promoting open source NuGet packages. We'll use NuGet packages from, along with an unapproved-nuget and approved-nuget feed, but these steps can apply to any type of packages.

Step 1: Create Feed: unapproved-nuget

First, we'll create an unapproved-nuget feed where unverified packages from will be stored.

Create New Feed "unapproved-nuget"

Note that feed usage is set to "Free/Open Source packages", since it will be connecting to

Step 2: Create Connector to

Now that the feed is created, we need to connect it to so it can pull public packages. After creating feeds, ProGet will prompt to create a connector, so we can simply click "Create Connector" and save.

Create a Connector to NuGet

Now that the unapproved-nuget feed is connected to, public packages can be downloaded and pulled.

Not everyone needs access to this feed, so in a later step we'll configure permissions and permissions.

Step 3: Create Feed: approved-nuget

For a package to be promoted from one feed to another, there must be multiple feeds. So, for this example, we'll create a second feed in the same way by first selecting NuGet.

We'll name the feed approved-nuget and select "Validated/promoted" packages" for the feed usage. This is where verified and approved packages will be promoted to.

Create New Feed "approved-nuget"

Step 4: Configure a Package Promotion Pipeline

A package promotion pipeline is an optional practice to limit which feed packages can be promoted to. This ensures that packages promoted from a non-production feed (like Testing) can only be promoted to a production feed.

To set up a package promotion pipeline, we'll navigate to Feeds > unapproved-nuget > Manage Feed > Other Settings, then click Promote to Feed and select approved-nuget.

Create a Promotion Pipeline in ProGet

Now packages from unapproved-nuget can only be promoted to the approved-nuget feed.

Step 5: Set Permissions

There are many ways to configure security access controls for uses and groups in ProGet. For this example, we'll say that only senior developers can promote packages to approved-nuget feed since they're trained to verify the quality, licenses, and vulnerabilities of open-source packages. To ensure this rule, we'll set up a new permission. By default, only administrators have assigned permissions.

To start, navigate to Settings > Users & Tasks > Tasks. Here you'll see many different levels of permissions.


For this example, we'll click on "Add Permissions" and fill out the following dialog to give the "Senior Developers" user group permission to "Promote Packages" from the unapproved-nuget feed.


Next, we'll give the "Developers" user group permission to "View and Download" packages from the approved-nuget feed in the same way.

How to Promote Packages

Promoting packages implies that someone approved a package, often after following an internal process that involves checking the license, vulnerabilities, and quality. ProGet's integrated license and vulnerability scanning can help by automating the scanning and verification, but there's usually human judgement involved.

Example: Newtonsoft.Json

Most organizations would find the Newtonsoft.Json NuGet package to be acceptable in terms of license, vulnerabilities, and quality. This package is pretty easy to find in the unapproved-nuget feed earlier:


The promotion process is quite simple: just simply navigate to the package, click on "promote", and then fill in the dialog:

Promote Package in ProGet

Since we configured a promotion pipeline earlier, this package can only be promoted to the approved-nuget feed. Without that configured, there would be a choice of feeds to promote to.

After clicking promote, the package will now be available in the approved-nuget feed for all "Developers" to view and download.

Approved Json Package

Package promotion can also be done using the Package Promotion API. The API usage is limited to paid users, however.

Viewing Promotion History

ProGet keeps a package history that outlines what actions were taken by whom. To view this history, navigate to package and click the "History" tab.

The history tracks over both feeds, and shows where packages have been promote from and to.

Free users will only be able to see the action taken and the date, and NOT the user and where the package was promoted to/from.

Advanced: Repackaging

You can also use package promotion with prerelease packages and repackaging. This is best for packages you develop in-house, and it's essentially done by creating a CI package, repackaging it to an RC package, and then repackaging and promoting it once more to a stable package in a different feed.

Was this article helpful?