Can not get working example with Docker and private nuget feed

[mturczyn]

In documentation/scenarios/nuget-credentials.md it is mentioned we can use Nuget Authenticate task in Azure pipelines

- task: Docker@2
  displayName: 'build container'
  inputs:
    command: 'build'
    dockerfile: '**/Dockerfile'
    arguments: '--build-arg FEED_ACCESSTOKEN=$(VSS_NUGET_ACCESSTOKEN)'

But that do not work (even echoing showed it as empty). I guess that might be due to the fact that VSS_NUGET_ACCESSTOKEN is secret value.

I wonder if I am correct about my assumption, or is there something I could do better? Something I have missed?

My workaround currently is to have custom task with docker build and push commands that accepts correctly VSS_NUGET_ACCESSTOKEN secret through environment variables

parameters:
  - name: acrServer
    type: string
  - name: containerRepository
    type: string
  - name: dockerfile
    type: string
  - name: buildContext
    type: string
  - name: dockerRegistryServiceConnection
    type: string
  - name: tags
    type: object # array
    default: []
  - name: push
    type: boolean

steps:
  - task: NuGetAuthenticate@1
    name: NuGetAuthenticate
    displayName: "Authenticate with NuGet feed"

  - task: Docker@2
    displayName: Login to ACR
    inputs:
      containerRegistry: ${{ parameters.dockerRegistryServiceConnection }}
      command: login

  - script: |
      # Build array of full image URLs
      IMAGE_URLS=()
      for tag in ${{ join(' ', parameters.tags) }}; do
        IMAGE_URLS+=("${{ parameters.acrServer }}/${{ parameters.containerRepository }}:$tag")
      done

      # Build docker build arguments
      BUILD_ARGS=""
      for image_url in "${IMAGE_URLS[@]}"; do
        BUILD_ARGS="$BUILD_ARGS -t $image_url"
      done

      docker build \
        --build-arg FEED_ACCESSTOKEN="$FEED_ACCESSTOKEN" \
        $BUILD_ARGS \
        -f ${{ parameters.dockerfile }} \
        ${{ parameters.buildContext }}

      # Push all images (if push is enabled)
      if [ "${{ parameters.push }}" == "True" ]; then
        for image_url in "${IMAGE_URLS[@]}"; do
          echo "Pushing image: $image_url"
          docker push "$image_url"
        done
      else
        echo "Push disabled - only building images"
      fi
    displayName: Build and Push to ACR
    env:
      FEED_ACCESSTOKEN: $(VSS_NUGET_ACCESSTOKEN) # secret mapped here, not as parameter

[lbussell]

Thanks for bringing this up, @mturczyn -- our documentation is incorrect. Azure Pipelines does not automatically map secret environment variables into steps/tasks. You have to manually map them using the env: property on the task, as you discovered. I've filed #7088 to track fixing the documentation.