Azure 34: Azure Artifacts — Private Package Feeds
easy⏱ 5 mincourseazure
Feed anatomy
A feed lives at pkgs.dev.azure.com/{org}/{project}/_packaging/{feed}/{protocol}/v1. Upstream sources let the feed transparently proxy public registries (Maven Central, npmjs, nuget.org) — every package your build pulls is cached in your feed, insulating you from public-registry outages and supply-chain attacks. Views (@Local, @Prerelease, @Release) partition the same feed so consumers can pin to promoted versions only.
// Maven feed URL format
https://pkgs.dev.azure.com/{org}/{project}/_packaging/{feed}@Release/maven/v1
// npm registry URL
https://pkgs.dev.azure.com/{org}/{project}/_packaging/{feed}/npm/registry/
Auth — pipelines vs local dev
In Azure Pipelines, use the MavenAuthenticate@0 or npmAuthenticate@0 task — it injects System.AccessToken into settings.xml/.npmrc automatically, no secret stored anywhere. For local dev, create a Personal Access Token (PAT) scoped to Packaging (Read) and paste it into your settings. Base64-encode user:PAT for the Authorization: Basic ... header Maven expects.
# azure-pipelines.yml
steps:
- task: MavenAuthenticate@0
inputs:
artifactsFeeds: 'Driveway'
- script: mvn clean deploy
Promotion workflow with views
CI publishes to @Local on every build. When QA approves, the version is promoted to @Prerelease. When release-ready, it's promoted again to @Release. Consumers in production pin to @Release only, so an accidental 1.2.3-SNAPSHOT never leaks into prod. This turns your feed into a mini app-store with review gates.
Build a feed config generator
Create an ArtifactsConfig class with forMaven(feed, view) returning a settings.xml snippet and forNpm(feed, view) returning .npmrc lines. Include a withPat(pat) method that injects the base64-encoded auth header for Maven and the _authToken= line for npm. Use @Release as the default view.
Always route through upstream sources
Configure your feed to upstream to Maven Central / npmjs and then point your builds only at the feed — never directly at the public registry. This gives you two superpowers: (1) if Maven Central has an outage your builds still work from the cache, and (2) if a malicious package appears upstream you can retention-block it in your feed.
Quiz: Pipeline auth without secrets
Why does MavenAuthenticate@0 not need a PAT? It uses System.AccessToken — the auto-generated pipeline OAuth token scoped to the current project's feeds. Zero secrets in your repo, and the token dies when the job ends.