How to Approve and Promote Open-source Packages in ProGet

In ProGet, package promotion is simply a process of copying a package from one feed into another, and keeping a record of that promotion. There are generally two situations when you would want to promote a package.

1. You have an open source package that's passed its verification process (i.e. acceptable license, no severe vulnerabilities, and high quality).
2. You have an in-house package that's passed testing and is ready for production.

Without package promotion over multiple feeds, it's difficult (if not impossible) to ensure only approved and verified packages are used in the right environments.

This article will walk you through a common scenario of promoting open source NuGet packages. We'll use NuGet packages from NuGet.org, along with an unapproved-nuget and approved-nuget feed, but these steps can apply to any type of packages.

Step 1: Create Feed: unapproved-nuget

First, we'll create an unapproved-nuget feed where unverified packages from NuGet.org will be stored.

Note that feed usage is set to "Free/Open Source packages", since it will be connecting to NuGet.org.

Step 2: Create Connector to NuGet.org

Now that the feed is created, we need to connect it to NuGet.org so it can pull public packages. After creating feeds, ProGet will prompt to create a connector, so we can simply click "Create Connector" and save.

Now that the unapproved-nuget feed is connected to NuGet.org, public packages can be downloaded and pulled.

Not everyone needs access to this feed, so in a later step we'll configure permissions and permissions.

Step 3: Create Feed: approved-nuget

For a package to be promoted from one feed to another, there must be multiple feeds. So, for this example, we'll create a second feed in the same way by first selecting NuGet.

We'll name the feed approved-nuget and select "Validated/promoted" packages" for the feed usage. This is where verified and approved packages will be promoted to.

Step 4: Configure a Package Promotion Pipeline

A package promotion pipeline is an optional practice to limit which feed packages can be promoted to. This ensures that packages promoted from a non-production feed (like Testing) can only be promoted to a production feed.

To set up a package promotion pipeline, we'll navigate to Feeds > unapproved-nuget > Manage Feed > Other Settings, then click Promote to Feed and select approved-nuget.

Now packages from unapproved-nuget can only be promoted to the approved-nuget feed.

Step 5: Set Permissions

There are many ways to configure security access controls for uses and groups in ProGet. For this example, we'll say that only senior developers can promote packages to approved-nuget feed since they're trained to verify the quality, licenses, and vulnerabilities of open-source packages. To ensure this rule, we'll set up a new permission. By default, only administrators have assigned permissions.

To start, navigate to Settings > Users & Tasks > Tasks. Here you'll see many different levels of permissions.

For this example, we'll click on "Add Permissions" and fill out the following dialog to give the "Senior Developers" user group permission to "Promote Packages" from the unapproved-nuget feed.

Next, we'll give the "Developers" user group permission to "View and Download" packages from the approved-nuget feed in the same way.

How to Promote Packages

Promoting packages implies that someone approved a package, often after following an internal process that involves checking the license, vulnerabilities, and quality. ProGet's integrated license and vulnerability scanning can help by automating the scanning and verification, but there's usually human judgement involved.

Example: Newtonsoft.Json

Most organizations would find the Newtonsoft.Json NuGet package to be acceptable in terms of license, vulnerabilities, and quality. This package is pretty easy to find in the unapproved-nuget feed earlier:

The promotion process is quite simple: just simply navigate to the package, click on "promote", and then fill in the dialog:

Since we configured a promotion pipeline earlier, this package can only be promoted to the approved-nuget feed. Without that configured, there would be a choice of feeds to promote to.

After clicking promote, the package will now be available in the approved-nuget feed for all "Developers" to view and download.

Package promotion can also be done using the Package Promotion API. The API usage is limited to paid users, however.

Viewing Promotion History

ProGet keeps a package history that outlines what actions were taken by whom. To view this history, navigate to package and click the "History" tab.

The history tracks over both feeds, and shows where packages have been promote from and to.

Advanced: Repackaging

You can also use package promotion with prerelease packages and repackaging. This is best for packages you develop in-house, and it's essentially done by creating a CI package, repackaging it to an RC package, and then repackaging and promoting it once more to a stable package in a different feed.