Skip to content

ci: migrate NuGet publish to trusted publishing (OIDC)#440

Merged
BenjaminMichaelis merged 2 commits into
mainfrom
agents/nuget-trusted-publishing-setup
May 13, 2026
Merged

ci: migrate NuGet publish to trusted publishing (OIDC)#440
BenjaminMichaelis merged 2 commits into
mainfrom
agents/nuget-trusted-publishing-setup

Conversation

@BenjaminMichaelis
Copy link
Copy Markdown
Member

@BenjaminMichaelis BenjaminMichaelis commented May 13, 2026

Summary

Migrates the NuGet publish step in Deploy.yml from a long-lived NUGET_API_KEY secret to OIDC-based trusted publishing via NuGet/login@v1.

Changes

  • Added permissions: id-token: write to the deploy job (required for OIDC token issuance)
  • Added NuGet/login@v1 step to exchange the OIDC token for a short-lived NuGet API key
  • Replaced secrets.NUGET_API_KEY with steps.login.outputs.NUGET_API_KEY in the push step

nuget.org Setup (already done)

A trusted publishing policy has been created on nuget.org for IntelliTect.Analyzers:

  • Owner: IntelliTect
  • Repository: CodingGuidelines
  • Workflow: Deploy.yml
  • Environment: Production

Required Action Before Merging

Add a NUGET_USER secret to the Production GitHub environment:

  • Name: NUGET_USER
  • Value: the nuget.org profile name (not email) of the IntelliTect-Nuget account

After First Successful Publish

Once a release triggers a successful publish via OIDC, the old NUGET_API_KEY secret can be removed from the repository secrets.

@BenjaminMichaelis
ci: migrate NuGet publish to trusted publishing (OIDC)
509d313 
Replace long-lived NUGET_API_KEY secret with short-lived OIDC token via
NuGet/login@v1. Adds id-token: write permission and NUGET_USER secret
reference to the deploy job.
Copilot AI review requested due to automatic review settings May 13, 2026 07:03
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the NuGet publish in the Deploy.yml workflow from a long-lived API key secret to NuGet trusted publishing via GitHub OIDC, using NuGet/login@v1 to mint a short-lived NuGet API key at publish time.

Changes:

  • Adds id-token: write job permissions required for OIDC token issuance.
  • Adds a NuGet/login@v1 step and switches dotnet nuget push to use the minted API key output.
  • Updates the deploy job’s token permissions to an explicit minimal set.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/Deploy.yml
Comment thread .github/workflows/Deploy.yml
Comment on lines 71 to 74
$tagVersion = "${{ github.ref }}".substring(11)
echo "TAG_VERSION=$tagVersion" >> $env:GITHUB_OUTPUT
dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate
dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --skip-duplicate
id: tag-version
@BenjaminMichaelis
ci: add actions: read permission for download-artifact
0eadbc5 
When an explicit permissions block is set, unlisted permissions default
to none. actions: read is required for actions/download-artifact.
@BenjaminMichaelis BenjaminMichaelis merged commit 46c1fa7 into main May 13, 2026
5 checks passed
@BenjaminMichaelis BenjaminMichaelis deleted the agents/nuget-trusted-publishing-setup branch May 13, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BenjaminMichaelis