fix: use NuGet login for trusted publishing

ANcpLua · ANcpLua · commit 4fe888511584 · 2025-11-22T04:12:06.000+01:00
diff --git a/.github/workflows/nuget-publish.yml b/.github/workflows/nuget-publish.yml
@@ -42,14 +42,16 @@ jobs:
       - name: Pack NuGet package
         run: dotnet pack SWEN3.Paperless.RabbitMq/SWEN3.Paperless.RabbitMq.csproj --configuration Release --no-build --output ./nupkg -p:GeneratePackageOnBuild=false
 
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+
       - name: Publish packages to NuGet.org (Trusted Publishing)
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+        env:
+          NUGET_AUTH_TOKEN: ${{ steps.login.outputs.NUGET_AUTH_TOKEN }}
         run: |
-          # Request OIDC token for NuGet Trusted Publishing
-          OIDC_TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" | jq -r '.value')
-
           dotnet nuget push ./nupkg/*.nupkg \
             --source https://api.nuget.org/v3/index.json \
-            --api-key "$OIDC_TOKEN" \
+            --api-key "$NUGET_AUTH_TOKEN" \
             --skip-duplicate
