Retrieving Nuget Packages from an Internal project during CI/CD runs fails with 403 Forbidden
Problem Statement
According to the documentation here:
Job tokens should be able to pull from package registries with visibility set to Internal. I've checked that the visibility level for the package registries in question has not been set to Project Members only.
However without adding the dependent projects to the CI allow list they are unable to perform a nuget restore against the projects. They are able to access the group level endpoint to get the correct package versions (though not the project endpoint itself), but are unable to download the packages themselves running into 403 Forbidden.
Adding the dependent project to the allow list makes it work, however this is not feasible for a common dependency as the project maintainer would have to add every project possibly or disable the allow list.
Some context as well. We are dealing with projects in subgroups if that is relevant.