[CI] Fix NuGet restore: use Liara mirror (Nexus TLS chain incomplete)
mirror.soroushasadi.com serves a leaf-only TLS chain (no intermediate). .NET on Linux does not auto-fetch the intermediate via AIA like Windows does, so CI/Docker restores fail with NU1301 PartialChain. Switch the Linux build configs (CI inline config + nuget.docker.config) to the Liara mirror, which serves a complete chain. Also disable NuGetAudit to avoid the api.nuget.org (filtered) 100s timeout + NU1900 noise. Local dev nuget.config keeps Nexus primary (Windows resolves the chain). Re-add Nexus to the Linux configs once nginx serves fullchain.pem. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -39,27 +39,38 @@ jobs:
|
|||||||
git fetch --depth=1 origin "${REF}"
|
git fetch --depth=1 origin "${REF}"
|
||||||
git checkout FETCH_HEAD
|
git checkout FETCH_HEAD
|
||||||
|
|
||||||
- name: Write NuGet config (Nexus)
|
- name: Write NuGet config (Liara primary; Nexus optional)
|
||||||
|
# NOTE: mirror.soroushasadi.com currently serves an incomplete TLS chain
|
||||||
|
# (leaf only, no intermediate). .NET on Linux does NOT auto-fetch the
|
||||||
|
# intermediate via AIA the way Windows does, so it fails with PartialChain.
|
||||||
|
# Liara serves a complete chain, so it is the deterministic source here.
|
||||||
|
# Re-add Nexus once nginx points ssl_certificate at fullchain.pem.
|
||||||
run: |
|
run: |
|
||||||
cat > /tmp/nuget.ci.config << 'EOF'
|
cat > /tmp/nuget.ci.config << 'EOF'
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<configuration>
|
<configuration>
|
||||||
<packageSources>
|
<packageSources>
|
||||||
<clear />
|
<clear />
|
||||||
<add key="nexus"
|
<add key="liara"
|
||||||
value="https://mirror.soroushasadi.com/repository/nuget-group/index.json"
|
value="https://package-mirror.liara.ir/repository/nuget/index.json"
|
||||||
protocolVersion="3" />
|
protocolVersion="3" />
|
||||||
</packageSources>
|
</packageSources>
|
||||||
|
<config>
|
||||||
|
<add key="http_retry_count" value="6" />
|
||||||
|
<add key="http_retry_delay_milliseconds" value="1000" />
|
||||||
|
</config>
|
||||||
</configuration>
|
</configuration>
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
- name: Restore
|
- name: Restore
|
||||||
run: dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.ci.config
|
# NuGetAudit=false: the audit pings api.nuget.org for CVE data, which is
|
||||||
|
# filtered in Iran (100s timeout + NU1900 noise). The mirror has the packages.
|
||||||
|
run: dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.ci.config -p:NuGetAudit=false
|
||||||
env:
|
env:
|
||||||
DOTNET_CLI_TELEMETRY_OPTOUT: 1
|
DOTNET_CLI_TELEMETRY_OPTOUT: 1
|
||||||
|
|
||||||
- name: Build
|
- name: Build
|
||||||
run: dotnet build src/JobsMedical.Web/JobsMedical.Web.csproj --no-restore -c Release
|
run: dotnet build src/JobsMedical.Web/JobsMedical.Web.csproj --no-restore -c Release -p:NuGetAudit=false
|
||||||
|
|
||||||
# ── CD: build image → deploy on the server (push to main only) ────────────────
|
# ── CD: build image → deploy on the server (push to main only) ────────────────
|
||||||
deploy:
|
deploy:
|
||||||
|
|||||||
+2
-2
@@ -3,9 +3,9 @@ FROM mirror.soroushasadi.com/dotnet/sdk:10.0 AS build
|
|||||||
WORKDIR /src
|
WORKDIR /src
|
||||||
COPY nuget.docker.config /tmp/nuget.config
|
COPY nuget.docker.config /tmp/nuget.config
|
||||||
COPY src/ ./src/
|
COPY src/ ./src/
|
||||||
RUN dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.config
|
RUN dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.config -p:NuGetAudit=false
|
||||||
RUN dotnet publish src/JobsMedical.Web/JobsMedical.Web.csproj -c Release -o /out --no-restore \
|
RUN dotnet publish src/JobsMedical.Web/JobsMedical.Web.csproj -c Release -o /out --no-restore \
|
||||||
/p:UseAppHost=false
|
/p:UseAppHost=false /p:NuGetAudit=false
|
||||||
|
|
||||||
FROM mirror.soroushasadi.com/dotnet/aspnet:10.0
|
FROM mirror.soroushasadi.com/dotnet/aspnet:10.0
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|||||||
+10
-2
@@ -1,9 +1,17 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!--
|
||||||
|
NuGet source for the Docker image build (Linux .NET — runs `dotnet restore`
|
||||||
|
inside the SDK container). Uses the Liara mirror because it serves a complete
|
||||||
|
TLS chain. mirror.soroushasadi.com currently serves a leaf-only chain, which
|
||||||
|
.NET on Linux rejects with PartialChain (Windows auto-fetches the missing
|
||||||
|
intermediate via AIA; Linux does not). Re-add Nexus once nginx serves
|
||||||
|
fullchain.pem for mirror.soroushasadi.com.
|
||||||
|
-->
|
||||||
<configuration>
|
<configuration>
|
||||||
<packageSources>
|
<packageSources>
|
||||||
<clear />
|
<clear />
|
||||||
<add key="nexus"
|
<add key="liara"
|
||||||
value="https://mirror.soroushasadi.com/repository/nuget-group/index.json"
|
value="https://package-mirror.liara.ir/repository/nuget/index.json"
|
||||||
protocolVersion="3" />
|
protocolVersion="3" />
|
||||||
</packageSources>
|
</packageSources>
|
||||||
<config>
|
<config>
|
||||||
|
|||||||
Reference in New Issue
Block a user