ci: migrate NuGet publish to trusted publishing (OIDC)

BenjaminMichaelis · BenjaminMichaelis · commit 509d313a73fe · 2026-05-13T00:03:34.000-07:00
Replace long-lived NUGET_API_KEY secret with short-lived OIDC token via
NuGet/login@v1. Adds id-token: write permission and NUGET_USER secret
reference to the deploy job.
diff --git a/.github/workflows/Deploy.yml b/.github/workflows/Deploy.yml
@@ -50,16 +50,25 @@ jobs:
       name: "Production"
       url: "https://www.nuget.org/packages/IntelliTect.Analyzers"
     name: Push NuGets
+    permissions:
+      id-token: write  # Required for NuGet trusted publishing (OIDC)
+      contents: read
 
     steps:
       - name: Download artifact from build job
         uses: actions/download-artifact@v8
         with:
           name: NuGet
 
+      - name: NuGet login (OIDC)
+        id: login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_USER }}  # nuget.org profile name (NOT email)
+
       - name: Push NuGet
         run: |
           $tagVersion = "${{ github.ref }}".substring(11)
           echo "TAG_VERSION=$tagVersion" >> $env:GITHUB_OUTPUT
-          dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate
+          dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --skip-duplicate
         id: tag-version
