From d44dac27baa81a93fc81e3776ac6d550b0d501ce Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Fri, 17 Apr 2026 19:44:46 +0100 Subject: [PATCH] ci: Use NuGet trusted publishing via OIDC Replace the long-lived NUGET_APIKEY secret with short-lived, single-use API keys obtained by exchanging a GitHub Actions OIDC token at nuget.org. Requires a Trusted Publishing policy configured on nuget.org for this repo + `release.yml`, and a `NUGET_USER` repo variable set to the nuget.org profile name of a member of the policy-owning org. See https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing beep boop --- .github/workflows/release.yml | 62 +++++++++++++++++++++-------------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 36643a6..7ac4ff2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,33 +19,33 @@ jobs: create_nuget: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - # Install the .NET SDK indicated in the global.json file - - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - # Create the NuGet package in the folder from the environment variable NuGetDirectory - - run: dotnet pack --configuration Release --output ${{ env.NuGetDirectory }} - - # Publish the NuGet package as an artifact, so they can be used in the following jobs - - uses: actions/upload-artifact@v4 - with: - name: nuget - if-no-files-found: error - retention-days: 7 - path: | + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # Install the .NET SDK indicated in the global.json file + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + # Create the NuGet package in the folder from the environment variable NuGetDirectory + - run: dotnet pack --configuration Release --output ${{ env.NuGetDirectory }} + + # Publish the NuGet package as an artifact, so they can be used in the following jobs + - uses: actions/upload-artifact@v4 + with: + name: nuget + if-no-files-found: error + retention-days: 7 + path: | ${{ env.NuGetDirectory }}/Flagsmith.*.nupkg !${{ env.NuGetDirectory }}/Flagsmith.Engine* validate_nuget: runs-on: ubuntu-latest needs: - - create_nuget + - create_nuget steps: # Install the .NET SDK indicated in the global.json file - name: Setup .NET @@ -66,13 +66,17 @@ jobs: # https://www.nuget.org/packages/Meziantou.Framework.NuGetPackageValidation.Tool#readme-body-tab # TODO https://github.com/Flagsmith/flagsmith-dotnet-client/issues/96 - name: Validate package - run: meziantou.validate-nuget-package (Get-ChildItem "${{ env.NuGetDirectory }}/*.nupkg") --excluded-rule-ids 101,111,74,72,61,12 + run: meziantou.validate-nuget-package (Get-ChildItem "${{ env.NuGetDirectory + }}/*.nupkg") --excluded-rule-ids 101,111,74,72,61,12 publish: runs-on: ubuntu-latest needs: - - create_nuget - - validate_nuget + - create_nuget + - validate_nuget + permissions: + id-token: write # required for NuGet trusted publishing (OIDC) + contents: read steps: # Download the NuGet package created in the previous job - uses: actions/download-artifact@v4 @@ -86,11 +90,19 @@ jobs: with: dotnet-version: ${{ env.DOTNET_VERSION }} + # Exchange the GitHub OIDC token for a short-lived NuGet.org API key. + # Requires a Trusted Publishing policy configured on nuget.org for this repo + workflow file. + - name: NuGet login (OIDC -> temp API key) + uses: NuGet/login@v1 + id: nuget-login + with: + user: ${{ vars.NUGET_USER }} + # Publish all NuGet packages to NuGet.org - name: Publish NuGet package run: | foreach($file in (Get-ChildItem "${{ env.NuGetDirectory }}" -Recurse -Include *.nupkg)) { - dotnet nuget push $file --api-key "${{ secrets.NUGET_APIKEY }}" --source https://api.nuget.org/v3/index.json + dotnet nuget push $file --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json } - name: Upload Release Asset