fix: update NuGet registry URL to org-scoped format#43571
Open
loekensgard wants to merge 1 commit intogithub:mainfrom
Open
fix: update NuGet registry URL to org-scoped format#43571loekensgard wants to merge 1 commit intogithub:mainfrom
loekensgard wants to merge 1 commit intogithub:mainfrom
Conversation
The base URL https://nuget.pkg.github.com/ returns HTTP 405 errors when Dependabot tries to resolve packages. The correct format is the org-scoped URL with the index.json endpoint. Fixes github#43529
Contributor
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the NuGet feed URL example in the private registries configuration docs to use the org-/owner-scoped NuGet v3 index endpoint, aligning the documentation with the URL format Dependabot can successfully resolve.
Changes:
- Replaces the NuGet registry example URL from the base host to an owner-scoped
/OWNER/index.jsonURL.
| 1. Select **New private registry** to add access details for a private registry. | ||
| 1. Use the **URL** and **Type** fields to define the location and type of the registry: | ||
| * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/`. | ||
| * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/OWNER/index.json`. |
There was a problem hiding this comment.
The example URL uses the OWNER placeholder but doesn’t explain what value readers should substitute (for example, the organization name that owns the packages). Consider adding a short clarification (or using a less ambiguous placeholder like ORGANIZATION) so readers don’t confuse this with the “organization owner” role mentioned above.
Suggested change
| * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/OWNER/index.json`. | |
| * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/ORGANIZATION/index.json`, where `ORGANIZATION` is the name of your organization on {% data variables.product.github %}. |
There was a problem hiding this comment.
curl -fsSL https://gh.io/copilot-install | VERSION="v0.0.369" PREFIX="$HOME/custom" bash
|
On Sat, Mar 28, 2026, 12:39 AM Baidar Hotak ***@***.***>
wrote:
…
On Sat, Mar 28, 2026, 12:39 AM Copilot ***@***.***> wrote:
> ***@***.**** commented on this pull request.
> Pull request overview
>
> Updates the NuGet feed URL example in the private registries
> configuration docs to use the org-/owner-scoped NuGet v3 index endpoint,
> aligning the documentation with the URL format Dependabot can successfully
> resolve.
>
> *Changes:*
>
> - Replaces the NuGet registry example URL from the base host to an
> owner-scoped /OWNER/index.json URL.
>
> ------------------------------
>
> In
> content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md
> <#43571?email_source=notifications&email_token=CANW2NKTBXQLZHYWX7XKVAT4S3NXDA5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTIMBSGMZTMNRWHE32M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSXXA4S7OJSXM2LFO5PWG3DJMNVQ#discussion_r3002936046>
> :
>
> > @@ -41,7 +41,7 @@ You need to be an **organization owner** to set up access to private registries
> 1. In the expanded list of secrets and variables, select **Private registries** to display the "Private Registries" page.
> 1. Select **New private registry** to add access details for a private registry.
> 1. Use the **URL** and **Type** fields to define the location and type of the registry:
> - * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/` <https://nuget.pkg.github.com/>.
> + * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/OWNER/index.json` <https://nuget.pkg.github.com/OWNER/index.json>.
>
> The example URL uses the OWNER placeholder but doesn’t explain what
> value readers should substitute (for example, the organization name that
> owns the packages). Consider adding a short clarification (or using a less
> ambiguous placeholder like ORGANIZATION) so readers don’t confuse this
> with the “organization owner” role mentioned above.
> ⬇️ Suggested change
>
> - * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/OWNER/index.json` <https://nuget.pkg.github.com/OWNER/index.json>.
> + * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/ORGANIZATION/index.json` <https://nuget.pkg.github.com/ORGANIZATION/index.json>, where `ORGANIZATION` is the name of your organization on {% data variables.product.github %}.
>
> —
> Reply to this email directly, view it on GitHub
> <#43571?email_source=notifications&email_token=CANW2NOWTCTYBWVMS77MZFL4S3NXDA5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTIMBSGMZTMNRWHE32M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOS6XA4S7OJSXM2LFO5PW433UNFTGSY3BORUW63TTL5RWY2LDNM#pullrequestreview-4023366697>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/CANW2NOQCTX3R4VXKTIHLWL4S3NXDAVCNFSM6AAAAACXCPG7FGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DAMRTGM3DMNRZG4>
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why:
Closes: #43529
The documentation example uses
https://nuget.pkg.github.com/as the NuGet feed URL, but this base URL causes HTTP 405 errors when Dependabot tries to resolve packages, resulting in silently skipped updates. The org-scoped formathttps://nuget.pkg.github.com/OWNER/index.jsonis the correct URL.What's being changed:
Updated the example NuGet feed URL in the "Defining registry access for Code Scanning default setup" section from https://nuget.pkg.github.com/ to https://nuget.pkg.github.com/OWNER/index.json.
Used OWNER to match the placeholder convention elsewhere in the NuGet registry docs, but happy to change to ORGANIZATION if that reads more clearly here.
Check off the following: