fix: use dotnet nuget update source to fix 401 on private NuGet feed in Docker (#1063)

Cleanup

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: BenjaminMichaelis

.github/workflows/Build-Test-And-Deploy.yml

@@ -63,23 +63,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
-      - name: Generate NuGet auth config for Docker build
-        if: github.event_name != 'pull_request' && github.event_name != 'merge_group'
-        env:
-          NUGET_AUTH_TOKEN: ${{ secrets.AZURE_DEVOPS_PAT }}
-        run: |
-          cat > /tmp/nuget-auth.config << EOF
-          <?xml version="1.0" encoding="utf-8"?>
-          <configuration>
-            <packageSourceCredentials>
-              <EssentialCSharp>
-                <add key="Username" value="docker" />
-                <add key="ClearTextPassword" value="${NUGET_AUTH_TOKEN}" />
-              </EssentialCSharp>
-            </packageSourceCredentials>
-          </configuration>
-          EOF
-
 # Build but no push with a PR
       - name: Docker build (no push)
         if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
@@ -99,7 +82,7 @@ jobs:
           file: ./EssentialCSharp.Web/Dockerfile
           context: .
           secrets: |
-            "id=nugetconfig,src=/tmp/nuget-auth.config"
+            "nuget_pat=${{ secrets.AZURE_DEVOPS_PAT }}"
           outputs: type=docker,dest=${{ github.workspace }}/essentialcsharpwebimage.tar
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -109,10 +92,6 @@ jobs:
           name: essentialcsharpwebimage
           path: ${{ github.workspace }}/essentialcsharpwebimage.tar
 
-      - name: Clean up NuGet auth config
-        if: always()
-        run: rm -f /tmp/nuget-auth.config
-
   deploy-development:
     if: github.event_name != 'pull_request_target' && github.event_name != 'pull_request'
     runs-on: ubuntu-latest

EssentialCSharp.Web/Dockerfile

@@ -1,4 +1,4 @@
-#syntax=docker/dockerfile:1.2
+# syntax=docker/dockerfile:1.4
 
 FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble-chiseled AS base
 WORKDIR /app
@@ -18,15 +18,19 @@ ENV ACCESS_TO_NUGET_FEED=$ACCESS_TO_NUGET_FEED
 WORKDIR /src
 COPY . .
 COPY --from=frontend-build /frontend/EssentialCSharp.Web/wwwroot/dist ./EssentialCSharp.Web/wwwroot/dist
-RUN --mount=type=secret,id=nugetconfig,required=false \
-    if [ "$ACCESS_TO_NUGET_FEED" = "true" ] && [ -f /run/secrets/nugetconfig ]; then \
-      mkdir -p ~/.nuget/config && \
-      cp /run/secrets/nugetconfig ~/.nuget/config/credentials.config; \
+RUN --mount=type=secret,id=nuget_pat,required=false \
+    if [ "$ACCESS_TO_NUGET_FEED" = "true" ] && [ ! -s /run/secrets/nuget_pat ]; then \
+      echo "ERROR: ACCESS_TO_NUGET_FEED=true but nuget_pat secret is missing or empty" >&2; exit 1; \
+    fi && \
+    if [ "$ACCESS_TO_NUGET_FEED" = "true" ]; then \
+      mkdir -p /root/.nuget/NuGet && \
+      printf '<?xml version="1.0" encoding="utf-8"?>\n<configuration>\n  <packageSourceCredentials>\n    <EssentialCSharp>\n      <add key="Username" value="az" />\n      <add key="ClearTextPassword" value="%s" />\n    </EssentialCSharp>\n  </packageSourceCredentials>\n</configuration>\n' \
+        "$(cat /run/secrets/nuget_pat)" > /root/.nuget/NuGet/NuGet.Config; \
     fi && \
     dotnet restore "EssentialCSharp.Web.slnx" -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED && \
     dotnet build "EssentialCSharp.Web.slnx" -c Release --no-restore -p:AccessToNugetFeed=$ACCESS_TO_NUGET_FEED -p:ReleaseDateAttribute=True -p:SkipFrontendBuild=true && \
     dotnet publish "EssentialCSharp.Web.slnx" -c Release -p:PublishDir=/app/publish -p:UseAppHost=false -p:SkipFrontendBuild=true --no-build && \
-    rm -f ~/.nuget/config/credentials.config
+    rm -f /root/.nuget/NuGet/NuGet.Config
 
 FROM base AS final
 WORKDIR /app