From a5857ad01f3c1a4fb2594b0ca9adb29674958978 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:51:34 +0000 Subject: [PATCH 1/3] Initial plan From 0c0c87afb2ff7887dc779fda0c6b5e7296532b20 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 1 Apr 2026 11:54:27 +0000 Subject: [PATCH 2/3] Switch PDQ publishing to Trusted Publishing (OIDC) model Agent-Logs-Url: https://github.com/crispthinking/PdqHash/sessions/4d5046f6-12ed-4351-9bff-643d341ef568 Co-authored-by: corpo-iwillspeak <265613520+corpo-iwillspeak@users.noreply.github.com> --- .github/workflows/publish.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 20d5cb2..191ccfd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,6 +8,14 @@ on: - published # Run the workflow when a new GitHub release is published workflow_dispatch: # Allow running the workflow manually from the GitHub UI +# Set permissions for the workflow. +permissions: + contents: write + packages: write + checks: write + pull-requests: write + id-token: write # Required for NuGet trusted publishing (OIDC) + env: DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 DOTNET_NOLOGO: true @@ -81,7 +89,14 @@ jobs: run: | dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ secrets.GITHUB_TOKEN }}" --source "https://nuget.pkg.github.com/crispthinking/index.json" --skip-duplicate + - name: NuGet login (OIDC → temp API key) + if: github.event_name == 'release' + uses: NuGet/login@v1 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - name: Publish NuGet package if: github.event_name == 'release' run: | - dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ secrets.NUGET_APIKEY }}" --source "https://api.nuget.org/v3/index.json" --skip-duplicate + dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source "https://api.nuget.org/v3/index.json" --skip-duplicate From b5e6533580a3451801d41ed5f11543558c4eee99 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Apr 2026 09:22:20 +0000 Subject: [PATCH 3/3] Scope permissions per-job with least privilege Agent-Logs-Url: https://github.com/crispthinking/PdqHash/sessions/616ec821-bb44-4f25-9f9f-6b4cbfad9db9 Co-authored-by: corpo-iwillspeak <265613520+corpo-iwillspeak@users.noreply.github.com> --- .github/workflows/publish.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 191ccfd..1b8221c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,14 +8,6 @@ on: - published # Run the workflow when a new GitHub release is published workflow_dispatch: # Allow running the workflow manually from the GitHub UI -# Set permissions for the workflow. -permissions: - contents: write - packages: write - checks: write - pull-requests: write - id-token: write # Required for NuGet trusted publishing (OIDC) - env: DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 DOTNET_NOLOGO: true @@ -24,6 +16,9 @@ env: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + checks: write # Required for dorny/test-reporter to create check runs steps: - uses: actions/checkout@v6 with: @@ -71,6 +66,9 @@ jobs: deploy: runs-on: ubuntu-latest needs: [ build ] + permissions: + packages: write # Required to publish to GitHub Packages + id-token: write # Required for NuGet trusted publishing (OIDC) steps: # Download the NuGet package created in the previous job - uses: actions/download-artifact@v8