Skip to content

ci: use NuGet Trusted Publishing (OIDC) instead of API key#79

Merged
Im5tu merged 1 commit into
mainfrom
worktree-trusted-publishing
Jun 18, 2026
Merged

ci: use NuGet Trusted Publishing (OIDC) instead of API key#79
Im5tu merged 1 commit into
mainfrom
worktree-trusted-publishing

Conversation

@Im5tu

@Im5tu Im5tu commented Jun 18, 2026

Copy link
Copy Markdown
Owner

What

Switches the NuGet release workflow from a long-lived NUGET_API_KEY secret to Trusted Publishing using GitHub OIDC.

When the workflow runs, GitHub issues a short-lived OIDC token; the NuGet/login action exchanges it with nuget.org for a temporary API key (valid 1 hour) that dotnet nuget push then uses. No static secret to store, rotate, or leak.

Changes

  • Add permissions: id-token: write to the publish job so GitHub will issue an OIDC token.
  • Add a NuGet/login@v1 step that mints a short-lived API key, authenticating as ${{ secrets.NUGET_USER }}.
  • dotnet nuget push now uses ${{ steps.login.outputs.NUGET_API_KEY }} instead of ${{ secrets.NUGET_API_KEY }}.

Required manual setup before this can publish

  1. Create a Trusted Publishing policy on nuget.org — log in → username menu → Trusted Publishing → add policy:
    • Repository Owner: im5tu
    • Repository: goa
    • Workflow File: nuget-release.yml (filename only, no path)
    • Environment: leave empty (the workflow uses no GitHub environment)
  2. Add a NUGET_USER repo secret set to your nuget.org profile/username (not your email).
  3. After it works, the old NUGET_API_KEY secret can be deleted.

Note: for a private repo the policy is temporarily active for 7 days until the first successful publish locks it to the repo/owner IDs. goa is public, so it activates immediately.

Reference: https://learn.microsoft.com/nuget/nuget-org/trusted-publishing

🤖 Generated with Claude Code

Replace the static NUGET_API_KEY secret with short-lived credentials
obtained via OIDC. Adds id-token: write permission and the NuGet/login
action, which exchanges the GitHub OIDC token for a temporary nuget.org
API key used by dotnet nuget push.

See https://learn.microsoft.com/nuget/nuget-org/trusted-publishing
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@Im5tu, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 hours, 3 minutes, and 2 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c431f034-49b7-4d24-9d03-7b48ff47b62c

📥 Commits

Reviewing files that changed from the base of the PR and between 3e89cc6 and 8fe346d.

📒 Files selected for processing (1)
  • .github/workflows/nuget-release.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-trusted-publishing

Comment @coderabbitai help to get the list of available commands and usage tips.

@Im5tu Im5tu merged commit 49859b1 into main Jun 18, 2026
1 of 3 checks passed
@Im5tu Im5tu deleted the worktree-trusted-publishing branch June 18, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant