CI/CD Pipelines

Push packages to Feedz and restore from private repositories in GitHub Actions, Azure Pipelines, and other CI/CD systems.

Authentication

Always use a service account token in CI/CD pipelines rather than a personal access token. Service account tokens are scoped to specific teams and can be revoked independently of any individual's access.

Store the token as a secret in your CI/CD system and pass it via an environment variable — never hardcode it in pipeline configuration files.

NuGet

Pushing a package

- name: Push to Feedz
  run: |
    dotnet nuget push "**/*.nupkg" \
      --source https://f.feedz.io/my-org/my-repo/nuget/index.json \
      --api-key ${{ secrets.FEEDZ_TOKEN }} \
      --skip-duplicate
# Add a NuGet service connection in Azure DevOps pointing at
# https://f.feedz.io/my-org/my-repo/nuget/index.json
- task: NuGetAuthenticate@1
  inputs:
    nuGetServiceConnections: feedz

- task: DotNetCoreCLI@2
  inputs:
    command: push
    packagesToPush: $(Build.ArtifactStagingDirectory)/**/*.nupkg
    nuGetFeedType: external
    publishFeedCredentials: feedz

Restoring from a private repository

- name: Add Feedz source
  run: |
    dotnet nuget add source https://f.feedz.io/my-org/my-repo/nuget/index.json \
      --name feedz \
      --username x \
      --password ${{ secrets.FEEDZ_TOKEN }} \
      --store-password-in-clear-text

- name: Restore
  run: dotnet restore
- task: NuGetAuthenticate@1
  inputs:
    nuGetServiceConnections: feedz

- task: DotNetCoreCLI@2
  inputs:
    command: restore
    feedsToUse: config
    nugetConfigPath: NuGet.config
For GitHub Actions, the username is ignored — any non-empty string works. The --store-password-in-clear-text flag is required because Linux runners do not have a credential store. For Azure Pipelines, credentials are injected automatically by the NuGetAuthenticate task — declare the Feedz source in NuGet.config without credentials.

TeamCity

Add a NuGet feed under Administration → NuGet Settings → Feed using the Feedz NuGet v3 URL (https://f.feedz.io/my-org/my-repo/nuget/index.json). Store the service account token as a TeamCity secret and reference it as the feed credential. The standard NuGet Publish and NuGet Installer build steps will work without further changes.

npm

Publishing a package

- name: Publish to Feedz
  run: npm publish
  env:
    NPM_CONFIG_//f.feedz.io/my-org/my-repo/npm/:_authToken: ${{ secrets.FEEDZ_TOKEN }}
- script: npm publish
  displayName: Publish to Feedz
  env:
    NPM_CONFIG_//f.feedz.io/my-org/my-repo/npm/:_authToken: $(FEEDZ_TOKEN)

Installing from a private repository

- name: Install packages
  run: npm install
  env:
    NPM_CONFIG_//f.feedz.io/my-org/my-repo/npm/:_authToken: ${{ secrets.FEEDZ_TOKEN }}
- script: npm install
  displayName: Install packages
  env:
    NPM_CONFIG_//f.feedz.io/my-org/my-repo/npm/:_authToken: $(FEEDZ_TOKEN)
Setting the token via the NPM_CONFIG_ environment variable prefix avoids writing credentials to .npmrc on disk. The variable name encodes the registry URL with colons replaced by underscores.

Other systems

For any CI/CD system that supports environment variables and shell commands, the general pattern is:

  1. Store the service account token as a CI secret (e.g. FEEDZ_TOKEN)
  2. For NuGet: use dotnet nuget push --api-key $FEEDZ_TOKEN
  3. For npm: set NPM_CONFIG_//f.feedz.io/my-org/my-repo/npm/:_authToken as an environment variable
  4. For generic packages: use feedz.exe push --pat $FEEDZ_TOKEN via the Feedz CLI