Skip to content

Switch NuGet publishing to Trusted Publishing (OIDC) #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
+14 −1
Open

Switch NuGet publishing to Trusted Publishing (OIDC) #75

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a5857ad
Initial plan
Copilot Apr 1, 2026
0c0c87a
Switch PDQ publishing to Trusted Publishing (OIDC) model
Copilot Apr 1, 2026
b5e6533
Scope permissions per-job with least privilege
Copilot Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ env:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
checks: write # Required for dorny/test-reporter to create check runs
steps:
- uses: actions/checkout@v6
with:
Expand Down Expand Up @@ -63,6 +66,9 @@ jobs:
deploy:
runs-on: ubuntu-latest
needs: [ build ]
permissions:
packages: write # Required to publish to GitHub Packages
id-token: write # Required for NuGet trusted publishing (OIDC)
Comment on lines +69 to +71
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id-token: write is granted for the entire deploy job, even though OIDC is only needed for the NuGet.org publish path (if: github.event_name == 'release'). Since this workflow also runs on push and workflow_dispatch, this unnecessarily broadens exposure to OIDC tokens for non-release runs. Consider splitting deploy into two jobs (e.g., one for GitHub Packages with only packages: write, and a release-only job for NuGet.org with id-token: write), or otherwise ensuring id-token: write is only available on release executions.

Copilot uses AI. Check for mistakes.
steps:
# Download the NuGet package created in the previous job
- uses: actions/download-artifact@v8
Expand All @@ -81,7 +87,14 @@ jobs:
run: |
dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ secrets.GITHUB_TOKEN }}" --source "https://nuget.pkg.github.com/crispthinking/index.json" --skip-duplicate

- name: NuGet login (OIDC → temp API key)
if: github.event_name == 'release'
uses: NuGet/login@v1
id: login
with:
user: ${{ secrets.NUGET_USER }}

- name: Publish NuGet package
if: github.event_name == 'release'
run: |
dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ secrets.NUGET_APIKEY }}" --source "https://api.nuget.org/v3/index.json" --skip-duplicate
dotnet nuget push ${NuGetDirectory}/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source "https://api.nuget.org/v3/index.json" --skip-duplicate