Jenkins CI and Azure DevOps with git and NuGet feed

I was building Jenkins pipeline last week and had to research how can I build dotnet code from Azure DevOps Git repository and use Azure DevOps NuGet feed. Despite the promise of harmony perfectness with Jenkins and Azure DevOps, there’s no connector between Jenkins and Azure DevOps Artifacts. Also, integration requires continuous maintenance because of Personal Access Token (PAT) temporality.

But if you really need, see how I implemented my Jenkins + Azure DevOps Artifacts and Git integration.

What credentials are needed?

You have to create 3 types of a token:

  1. Jenkins API Token for Azure DevOps Service Hook. It’s used to trigger Jenkins build after code is pushed. Jenkins user owning this API token should have permissions: Overall(Read), Job(Build), Job(Read).
  2. Azure DevOps Personal Access Token (PAT) for accessing Git repository from Jenkins. When you create this PAT add the Code(read) scope to it. Expiration up to 1 year.
  3. Azure DevOps Personal Access Token (PAT) for accessing NuGet feed. This PAT is created automatically by Azure Artifacts Credential Provider and has scope Packaging(Read & write). Expires after 3 months.

So, the first thing you probably have to do is create Jenkins build user and temporarily keep its password because you have to log in under its account to create API token on Jenkins side. I discourage you from using your personal user account because whether you leave company builds shouldn’t stop working.

(Upd. 2019/08/21: Look the fresh article to know how to avoid PAT from 3rd point).

Make NuGet looking for packages in Azure DevOps

Create NuGet.Config

In the root of a project, I make NuGet.Config file with settings like:

<?xml version="1.0" encoding="utf-8"?&gt;
<configuration&gt;
    <packageSources&gt;
        <clear /&gt; <!-- ensure only the sources defined below are used --&gt;
        <add key="YourFeedName" value="https://YourOrgName.pkgs.visualstudio.com/_packaging/YourFeedName/nuget/v3/index.json" /&gt;
    </packageSources&gt;
</configuration&gt;

You shouldn’t care about NuGet configuration in profiles of developers or build agents and the easiest way to avoid the care is to manage it as code.

Authorize with Azure Artifacts Credential Provider

Just configuration is not enough, you need authorization. You have to deploy Azure Artifacts Credential Provider and authorize under profile of Jenkins build agent.

  1. Download Azure Artifacts Credential Provider (windows, linux / mac).
  2. Unpack it under %userprofile%\.nuget\ (Windows) or $HOME/.nuget/ (Linux / Mac).
  3. Execute: dotnet restore --interactive
  4. Go to https://microsoft.com/devicelogin, enter the code displayed by previous CLI command then authenticate.

When authorization is made PAT with scope Packaging(Read & write) is created for 3 months and stored under %appdata%\Local\MicrosoftCredentialProvider\ (Windows) or $HOME/.local/share/MicrosoftCredentialProvider/ (Linux / Mac).

(Upd. 2019/08/21: Download and unpack, don’t execute .. --interactive. Look the fresh article to know a way to have only one PAT for Azure DevOps instead of two).

Make Jenkins able to pull from Azure DevOps Git repository

  1. Manually create PAT with scope Code(read). You can set expiration up to 1 year for it.
  2. On Jenkins master create credentials. As login use your Azure DevOps (Azure AD / Microsoft account) user login (whose PAT was created).
  3. When configuring build project, use this credentials.

Create Jenkins build project

You have to do it before creating an Azure DevOps service hook.

Make Azure DevOps triggering Jenkins when code pushed

  1. Login to Jenkins under the build user account. I appealed to make it at the beginning of this article (you can reset it’s password any time).
  2. Create an API token (give it a meaningful name) and copy to the buffer.
  3. Go to Azure DevOps at /<project>/_settings/serviceHooks and create the hook you need.

(Upd. 2019/08/21: Now, with Jenkins pipelines I use Trigger Git build service hook instead of Trigger generic build. It doesn’t require you to create a trigger instance for every project, build job should be Multibranch Pipeline).

Recap

  1. Create a Jenkins build user.
  2. Create NuGet.Config in the code repository.
  3. Configure NuGet authorization in the profile of a Jenkins build agent.
  4. Create PAT for Jenkins to pull from Azure DevOps Git repository.
  5. (Upd. 2019/08/21: not recommended) create PAT under Jenkins build user account.
  6. Create a service hook in Azure DevOps.

(Upd. 2019/08/21: Look the fresh article to know how to avoid PAT from 5th point).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: