Skip to content

build: enable NuGet trusted publishing for release workflows#494

Merged
adrianhall merged 2 commits into
CommunityToolkit:mainfrom
adrianhall:issues/486
Jul 6, 2026
Merged

build: enable NuGet trusted publishing for release workflows#494
adrianhall merged 2 commits into
CommunityToolkit:mainfrom
adrianhall:issues/486

Conversation

@adrianhall

Copy link
Copy Markdown
Collaborator

Closes #486

Summary

Switches the NuGet.org publish step in the release job of build-library.yml and build-template.yml from the long-lived NUGET_PACKAGE_PUSH_TOKEN API key secret to NuGet Trusted Publishing via OIDC, matching the pattern already adopted in CommunityToolkit/Aspire#1452.

  • Added permissions: { id-token: write, contents: read } to the release job in both workflows (job-level permissions replace workflow-level ones, so these must be explicit).
  • Added a NuGet/login@v1 step (NuGet login (OIDC)) that exchanges the environment's NUGET_USER secret + OIDC token for a short-lived NuGet API key.
  • Updated the dotnet nuget push step to use ${{ steps.login.outputs.NUGET_API_KEY }} instead of ${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }}.

The sign job's push to the internal Azure DevOps feed (DEVOPS_PACKAGE_PUSH_TOKEN) is unrelated to nuget.org trusted publishing and is left unchanged.

Per the issue, the nuget-release-gate environment and NUGET_USER secret are already configured on GitHub, and both build-library.yml / build-template.yml are already registered as trusted publisher actions on nuget.org's policy.

Tests and checks run

  • No src//tests/ code changed, so dotnet build/dotnet test were not run — this is a CI-workflow-only change.
  • Validated both modified YAML files parse correctly with Ruby's YAML library.
  • Manually diffed against the reference implementation in Use trusted publishing for dotnet-main NuGet publish Aspire#1452 to confirm the pattern (permissions, login step, api-key output) matches.

Skipped verification

  • End-to-end trusted-publishing verification (an actual OIDC-authenticated push to nuget.org) can only happen on a real tagged release run in the nuget-release-gate environment; this isn't reproducible locally or in a PR run since the release job is gated on startsWith(github.ref, 'refs/tags/').
  • actionlint/yamllint are not installed in this environment, so only a generic YAML syntax check (not GitHub Actions schema validation) was performed locally.

ahall and others added 2 commits July 6, 2026 10:36
…tyToolkit#486)

Switch the NuGet.org release step in build-library.yml and
build-template.yml from the long-lived NUGET_PACKAGE_PUSH_TOKEN
API key to NuGet Trusted Publishing via OIDC.

- Add id-token: write / contents: read permissions to the release job
- Add a NuGet/login@v1 step to exchange OIDC for a short-lived API key
- Use the login step's NUGET_API_KEY output when pushing packages
@adrianhall adrianhall merged commit 1c6945c into CommunityToolkit:main Jul 6, 2026
8 checks passed
@adrianhall adrianhall deleted the issues/486 branch July 6, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enable Trusted Publishing

1 participant