You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been having CodeQL failures on sopme of my .NET applications and it seems like it is linked to an upgrade from Ubuntu 22.04 to 24.04 per the latest update for the runner image. I looked at the runner image and it no longer has NuGet as a package manager. Unfortunately, the dotnet nuget doesn't work for me since I have a specific nuget.config file that uses 3rd party repositories that require authentication. Is this something that can be added to the image or will I need to follow the guidance from Microsoft at https://learn.microsoft.com/en-us/nuget/install-nuget-client-tools?tabs=macos#cli-tools to update each of my workflows to ensure that NuGet exists on the image?
Not sure if this qualifies as a regression, but the update to 24.04 is missing the NuGet package manager
Expected behavior
NuGet should be installed or a warning when transitioning from versions of Ubuntu should be available so a correction can be made as I have stated above.
Actual behavior
| nuget restore myproject.csproj -ConfigFile nuget.con …
| ~~~~~
| The term 'nuget' is not recognized as a name of a cmdlet, function,
| script file, or executable program. Check the spelling of the name, or
| if a path was included, verify that the path is correct and try again.
Repro steps
Create a .NET project, console is easiest, that has a nuget.config file in the repository
Add a CodeQL configuration file as follows:
# For most projects, this workflow file will not need changing; you simply need# to commit it to your repository.## You may wish to alter this file to override the set of languages analyzed,# or to provide custom queries or build logic.## ******** NOTE ********# We have attempted to detect the languages in your repository. Please check# the `language` matrix defined below to confirm you have the correct set of# supported CodeQL languages.#name: "CodeQL"on:
push:
branches: [ "main" ]pull_request:
branches: [ "main" ]schedule:
- cron: '18 13 * * 5'jobs:
analyze:
name: Analyze# Runner size impacts CodeQL analysis time. To learn more, please see:# - https://gh.io/recommended-hardware-resources-for-running-codeql# - https://gh.io/supported-runners-and-hardware-resources# - https://gh.io/using-larger-runners# Consider using larger runners for possible analysis time improvements.runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}permissions:
actions: readcontents: readsecurity-events: writestrategy:
fail-fast: falsematrix:
language: [ 'csharp', 'javascript-typescript' ]# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]# Use only 'java-kotlin' to analyze code written in Java, Kotlin or both# Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-supportsteps:
- name: Checkout repositoryuses: actions/checkout@v4.2.2# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQLuses: github/codeql-action/init@v3.28.0with:
languages: ${{ matrix.language }}# If you wish to specify custom queries, you can do so here or in a config file.# By default, queries listed here will override any specified in a config file.# Prefix the list here with "+" to use these queries and those in the config file.# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs# queries: security-extended,security-and-quality
- name: Setup .NET Core SDKuses: actions/setup-dotnet@v4.2.0with:
# Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xxdotnet-version: 8.x# Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo.config-file: myapplication/nuget.configif: ${{ matrix.language }} == 'csharp'
- name: Build and publish Applicationrun: | cd myapplication dotnet nuget update source "mysource" --source "https://mysource.com/v3/index.json" --configfile "nuget.config" --username "myuser" --password "mysecretpassword --store-password-in-clear-text nuget restore myapplication.csproj -ConfigFile nuget.config dotnet build --no-restore -property:Configuration=Release cd ..shell: pwshif: ${{ matrix.language }} == 'csharp'
- name: Perform CodeQL Analysisuses: github/codeql-action/analyze@v3.28.0with:
category: "/language:${{matrix.language}}"
Let the runner fail at the NuGet restore step.
The text was updated successfully, but these errors were encountered:
Hi @abrousseau-hcgov , Thank you for bringing this issue to our attention. We will look into this issue closely and will update you after investigating.
Hi , @abrousseau-hcgov ,Thank you for contacting us regarding the Nuget package in Ubuntu 24. The Nuget package is available in Ubuntu 20 and 22 images.
We understand the advantages of the Nuget package, however we decided to remove some tools in order to maintain a lightweight OS image. We recommend that you install it in build runtime and use it.
@vidyasagarnimmagaddi I am good with that explanations, but it is also important to let the community know when changes like this are going to occur. The only reason I found this is the default image runner for CodeQL recently updated to Ubuntu 24.04 and this broke multiple CodeQL scans. Searching the readme markdown for the Ubuntu 24.04 image runner is what led me to this. Again, I appreciate you looking into this.
Description
Good morning,
I have been having CodeQL failures on sopme of my .NET applications and it seems like it is linked to an upgrade from Ubuntu 22.04 to 24.04 per the latest update for the runner image. I looked at the runner image and it no longer has NuGet as a package manager. Unfortunately, the dotnet nuget doesn't work for me since I have a specific nuget.config file that uses 3rd party repositories that require authentication. Is this something that can be added to the image or will I need to follow the guidance from Microsoft at https://learn.microsoft.com/en-us/nuget/install-nuget-client-tools?tabs=macos#cli-tools to update each of my workflows to ensure that NuGet exists on the image?
Thanks,
Adam Brousseau
Platforms affected
Runner images affected
Image version and build link
Current runner:
Runner Image
Image: ubuntu-24.04
Version: 20250105.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1
Previous runner (approximately 3 weeks ago):
Runner Image
Image: ubuntu-22.04
Version: 20241215.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20241215.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20241215.1
Is it regression?
Not sure if this qualifies as a regression, but the update to 24.04 is missing the NuGet package manager
Expected behavior
NuGet should be installed or a warning when transitioning from versions of Ubuntu should be available so a correction can be made as I have stated above.
Actual behavior
Repro steps
The text was updated successfully, but these errors were encountered: