build: enable NuGet trusted publishing for release workflows#494
Merged
Conversation
…tyToolkit#486) Switch the NuGet.org release step in build-library.yml and build-template.yml from the long-lived NUGET_PACKAGE_PUSH_TOKEN API key to NuGet Trusted Publishing via OIDC. - Add id-token: write / contents: read permissions to the release job - Add a NuGet/login@v1 step to exchange OIDC for a short-lived API key - Use the login step's NUGET_API_KEY output when pushing packages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #486
Summary
Switches the NuGet.org publish step in the
releasejob ofbuild-library.ymlandbuild-template.ymlfrom the long-livedNUGET_PACKAGE_PUSH_TOKENAPI key secret to NuGet Trusted Publishing via OIDC, matching the pattern already adopted in CommunityToolkit/Aspire#1452.permissions: { id-token: write, contents: read }to thereleasejob in both workflows (job-levelpermissionsreplace workflow-level ones, so these must be explicit).NuGet/login@v1step (NuGet login (OIDC)) that exchanges the environment'sNUGET_USERsecret + OIDC token for a short-lived NuGet API key.dotnet nuget pushstep to use${{ steps.login.outputs.NUGET_API_KEY }}instead of${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }}.The
signjob's push to the internal Azure DevOps feed (DEVOPS_PACKAGE_PUSH_TOKEN) is unrelated to nuget.org trusted publishing and is left unchanged.Per the issue, the
nuget-release-gateenvironment andNUGET_USERsecret are already configured on GitHub, and bothbuild-library.yml/build-template.ymlare already registered as trusted publisher actions on nuget.org's policy.Tests and checks run
src//tests/code changed, sodotnet build/dotnet testwere not run — this is a CI-workflow-only change.Skipped verification
nuget-release-gateenvironment; this isn't reproducible locally or in a PR run since thereleasejob is gated onstartsWith(github.ref, 'refs/tags/').actionlint/yamllintare not installed in this environment, so only a generic YAML syntax check (not GitHub Actions schema validation) was performed locally.