From 0620ee7c859a7a3f082136b0b395e2f6e7cf3b0b Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Fri, 29 May 2026 08:12:32 -0400
Subject: [PATCH] build(docker): supply Gitea feed + optional NuGet credentials
 for image restore

Dockerfile copies nuget.config (so the Gitea feed + source mapping are known in
the restore stage) and accepts optional NUGET_GITEA_USER/PASS build-args for a
private feed; build.sh forwards them from host env vars (MXGW_NUGET_USER/PASS)
so secrets are never committed. Verified the in-container restore resolves the
ZB.MOM.WW.MxGateway.* packages (anonymous feed).
---
 docker/Dockerfile | 11 +++++++++++
 docker/build.sh   | 10 ++++++++++
 2 files changed, 21 insertions(+)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 0315bc0d..54abc8ec 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -27,6 +27,17 @@ COPY src/ZB.MOM.WW.ScadaBridge.ManagementService/ZB.MOM.WW.ScadaBridge.Managemen
 # projects) for `dotnet restore` to resolve versions — without it restore fails NU1015.
 COPY Directory.Packages.props ./
 
+# nuget.config declares the Gitea feed (and package-source mapping) that serves the
+# ZB.MOM.WW.MxGateway.* packages used by the Data Connection Layer.
+COPY nuget.config ./
+
+# Optional credentials for the private Gitea feed, supplied at build time via
+# --build-arg (see docker/build.sh). Left blank for an anonymous feed. NuGet reads
+# per-source credentials from the NuGetPackageSourceCredentials_<sourceName> env var.
+ARG NUGET_GITEA_USER=
+ARG NUGET_GITEA_PASS=
+ENV NuGetPackageSourceCredentials_dohertj2-gitea="Username=${NUGET_GITEA_USER};Password=${NUGET_GITEA_PASS}"
+
 # Restore NuGet packages via Host project (follows ProjectReferences to all dependencies)
 # This layer is cached until any .csproj changes — source-only changes skip restore entirely
 RUN dotnet restore src/ZB.MOM.WW.ScadaBridge.Host/ZB.MOM.WW.ScadaBridge.Host.csproj
diff --git a/docker/build.sh b/docker/build.sh
index ebbe69f9..52957617 100755
--- a/docker/build.sh
+++ b/docker/build.sh
@@ -12,11 +12,21 @@ if ! docker network inspect scadabridge-net >/dev/null 2>&1; then
     docker network create scadabridge-net
 fi
 
+# Optional credentials for the private Gitea NuGet feed (ZB.MOM.WW.MxGateway.*).
+# Read from the host environment so secrets are never committed. Leave unset for an
+# anonymous feed. Export MXGW_NUGET_USER / MXGW_NUGET_PASS before running deploy.
+NUGET_ARGS=()
+if [ -n "${MXGW_NUGET_USER:-}" ]; then
+    NUGET_ARGS+=(--build-arg "NUGET_GITEA_USER=${MXGW_NUGET_USER}")
+    NUGET_ARGS+=(--build-arg "NUGET_GITEA_PASS=${MXGW_NUGET_PASS:-}")
+fi
+
 # Build from repo root (so COPY paths in Dockerfile resolve correctly)
 echo "Building scadabridge:latest image..."
 docker build \
     -t scadabridge:latest \
     -f "$SCRIPT_DIR/Dockerfile" \
+    "${NUGET_ARGS[@]}" \
     "$REPO_ROOT"
 
 echo "Build complete: scadabridge:latest"