For one of our customers I am setting up CI builds that automatically publish NuGet packages to their private feed in VSTS Package Management (https://www.visualstudio.com/en-us/docs/package/overview). They are in the process of splitting up their monolithic Web Application into pieces and this is one of the steps we are taking.
One of the things I like to do when setting up a CI Build is to change the “Build job authorization scope” (https://www.visualstudio.com/en-us/docs/build/define/options#build-job-authorization-scope). The default is “Project Collection” which comes down to the entire VSTS tenant. I prefer to set it to “Current project”, which is generally more than enough.
The Builds we setup are pretty simple. We use the feature “Task Groups” (https://www.visualstudio.com/en-us/docs/build/concepts/library/task-groups) because it greatly simplifies maintenance when having more than one build that follows the same process as other builds. The tasks are:
- Get sources – Get the source code from Version Control
- NuGet restore – Restore any NuGet package references used
- Build – Run MSBuild to compile
- VsTest – Run unit tests
- NuGet Pack – Create the NuGet package (nupkg)
- NuGet Publish – Publish the package to the VSTS Package Management feed
Somehow, the last task failed every time with the error message:
Response status code does not indicate success: 403 (Forbidden).
To solve it we thought about the following:
- Does the account, in which the PAT (Personal Access Token, https://www.visualstudio.com/en-us/docs/setup-admin/team-services/use-personal-access-tokens-to-authenticate) was created for the Build Agent, have permissions in Package Management?
- Did we configure all settings correctly?
- Were we able to upload the package manually through the CLI of NuGet?
All of those were true. So, then we started thinking that is should be something regarding the Build Definition itself… I changed the “Build job authorization scope” back to “Project Collection” and voila, it worked. The reason is that when you create a Package Management feed, it exists at Team Project Collection-level and not at Team Project-level. The Build Job needs permissions there to publish so that is the reason it fails.