From b9ea83bcad97700d007e5e5b57609df0aee756c1 Mon Sep 17 00:00:00 2001
From: "Brett V. Forsgren" <brettfo@microsoft.com>
Date: Fri, 28 Feb 2025 14:54:05 -0700
Subject: [PATCH] use `$.job.credentials-metadata` if `$.credentials` isn't
 given

---
 .../dependabot/nuget/nuget_config_credential_helpers.rb   | 2 +-
 .../nuget/nuget_config_credential_helpers_spec.rb         | 1 +
 updater/lib/dependabot/file_fetcher_command.rb            | 8 +++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb b/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
index 1c29b678284..e66a77e43c1 100644
--- a/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
+++ b/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
@@ -28,7 +28,7 @@ def self.add_credentials_to_nuget_config(credentials)
 
         File.rename(user_nuget_config_path, temporary_nuget_config_path)
 
-        package_sources = []
+        package_sources = ["    <add key=\"nuget.org\" value=\"https://api.nuget.org/v3/index.json\" />"]
         package_source_credentials = []
         nuget_credentials.each_with_index do |c, i|
           source_name = "nuget_source_#{i + 1}"
diff --git a/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb b/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
index 6857f0834d7..a2ca7a8d13e 100644
--- a/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
+++ b/nuget/spec/dependabot/nuget/nuget_config_credential_helpers_spec.rb
@@ -47,6 +47,7 @@
               <?xml version="1.0" encoding="utf-8"?>
               <configuration>
                 <packageSources>
+                  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
                   <add key="nuget_source_1" value="https://private.nuget.example.com/index.json" />
                   <add key="nuget_source_2" value="https://public.nuget.example.com/index.json" />
                 </packageSources>
diff --git a/updater/lib/dependabot/file_fetcher_command.rb b/updater/lib/dependabot/file_fetcher_command.rb
index 927db8f3e55..7cd889a0ecf 100644
--- a/updater/lib/dependabot/file_fetcher_command.rb
+++ b/updater/lib/dependabot/file_fetcher_command.rb
@@ -77,9 +77,15 @@ def create_file_fetcher(directory: nil)
       # Use the provided directory or fallback to job.source.directory if directory is nil.
       directory_to_use = directory || job.source.directory
 
+      job_definition = Environment.job_definition
+      job_credentials_metadata = job_definition.fetch("job", {}).fetch("credentials-metadata", [])
+
+      # prefer credentials directly from the root of the file (will contain secrets) but if not specified, fall back to
+      # the job's credentials-metadata that has no secrets
+      credentials = job_definition.fetch("credentials", job_credentials_metadata)
       args = {
         source: job.source.clone.tap { |s| s.directory = directory_to_use },
-        credentials: Environment.job_definition.fetch("credentials", []),
+        credentials: credentials,
         options: job.experiments
       }
       args[:repo_contents_path] = Environment.repo_contents_path if job.clone? || already_cloned?