ci: use NuGet Trusted Publishing (OIDC) instead of API key#79
Conversation
Replace the static NUGET_API_KEY secret with short-lived credentials obtained via OIDC. Adds id-token: write permission and the NuGet/login action, which exchanges the GitHub OIDC token for a temporary nuget.org API key used by dotnet nuget push. See https://learn.microsoft.com/nuget/nuget-org/trusted-publishing
|
Warning Review limit reached
More reviews will be available in 3 hours, 3 minutes, and 2 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
What
Switches the NuGet release workflow from a long-lived
NUGET_API_KEYsecret to Trusted Publishing using GitHub OIDC.When the workflow runs, GitHub issues a short-lived OIDC token; the
NuGet/loginaction exchanges it with nuget.org for a temporary API key (valid 1 hour) thatdotnet nuget pushthen uses. No static secret to store, rotate, or leak.Changes
permissions: id-token: writeto thepublishjob so GitHub will issue an OIDC token.NuGet/login@v1step that mints a short-lived API key, authenticating as${{ secrets.NUGET_USER }}.dotnet nuget pushnow uses${{ steps.login.outputs.NUGET_API_KEY }}instead of${{ secrets.NUGET_API_KEY }}.Required manual setup before this can publish
im5tugoanuget-release.yml(filename only, no path)NUGET_USERrepo secret set to your nuget.org profile/username (not your email).NUGET_API_KEYsecret can be deleted.Reference: https://learn.microsoft.com/nuget/nuget-org/trusted-publishing
🤖 Generated with Claude Code