From 8fe346de2a3488eb4521aa77186734a379dda92c Mon Sep 17 00:00:00 2001 From: "Stuart Blackler (@im5tu)" Date: Thu, 18 Jun 2026 14:33:49 +0100 Subject: [PATCH] ci: use NuGet Trusted Publishing (OIDC) instead of long-lived API key Replace the static NUGET_API_KEY secret with short-lived credentials obtained via OIDC. Adds id-token: write permission and the NuGet/login action, which exchanges the GitHub OIDC token for a temporary nuget.org API key used by dotnet nuget push. See https://learn.microsoft.com/nuget/nuget-org/trusted-publishing --- .github/workflows/nuget-release.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nuget-release.yml b/.github/workflows/nuget-release.yml index d3a0a820..97761056 100644 --- a/.github/workflows/nuget-release.yml +++ b/.github/workflows/nuget-release.yml @@ -12,6 +12,8 @@ on: jobs: publish: runs-on: ubuntu-latest + permissions: + id-token: write # enable GitHub OIDC token issuance for Trusted Publishing steps: - name: Checkout code uses: actions/checkout@v6 @@ -58,9 +60,15 @@ jobs: - name: List generated packages run: find artifacts/package/release -name "*.nupkg" -type f + - name: NuGet login (OIDC -> short-lived API key) + uses: NuGet/login@v1 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - name: Publish to NuGet run: | for package in artifacts/package/release/*.nupkg; do echo "Publishing $package" - dotnet nuget push "$package" --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate + dotnet nuget push "$package" --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate done