diff --git a/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb b/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
index 1c29b67828..e66a77e43c 100644
--- a/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
+++ b/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
@@ -28,7 +28,7 @@ def self.add_credentials_to_nuget_config(credentials)
 
         File.rename(user_nuget_config_path, temporary_nuget_config_path)
 
-        package_sources = []
+        package_sources = ["    <add key=\"nuget.org\" value=\"https://api.nuget.org/v3/index.json\" />"]
         package_source_credentials = []
         nuget_credentials.each_with_index do |c, i|
           source_name = "nuget_source_#{i + 1}"
diff --git a/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb b/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
index 6857f0834d..a2ca7a8d13 100644
--- a/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
+++ b/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
@@ -47,6 +47,7 @@
               <?xml version="1.0" encoding="utf-8"?>
               <configuration>
                 <packageSources>
+                  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
                   <add key="nuget_source_1" value="https://private.nuget.example.com/index.json" />
                   <add key="nuget_source_2" value="https://public.nuget.example.com/index.json" />
                 </packageSources>
diff --git a/updater/lib/dependabot/file_fetcher_command.rb b/updater/lib/dependabot/file_fetcher_command.rb
index 927db8f3e5..7cd889a0ec 100644
--- a/updater/lib/dependabot/file_fetcher_command.rb
+++ b/updater/lib/dependabot/file_fetcher_command.rb
@@ -77,9 +77,15 @@ def create_file_fetcher(directory: nil)
       # Use the provided directory or fallback to job.source.directory if directory is nil.
       directory_to_use = directory || job.source.directory
 
+      job_definition = Environment.job_definition
+      job_credentials_metadata = job_definition.fetch("job", {}).fetch("credentials-metadata", [])
+
+      # prefer credentials directly from the root of the file (will contain secrets) but if not specified, fall back to
+      # the job's credentials-metadata that has no secrets
+      credentials = job_definition.fetch("credentials", job_credentials_metadata)
       args = {
         source: job.source.clone.tap { |s| s.directory = directory_to_use },
-        credentials: Environment.job_definition.fetch("credentials", []),
+        credentials: credentials,
         options: job.experiments
       }
       args[:repo_contents_path] = Environment.repo_contents_path if job.clone? || already_cloned?