fix: add OIDC token authentication for NuGet Trusted Publishing

ANcpLua · claude · ANcpLua · commit c9ce75cffaeb · 2025-11-21T23:51:52.000+01:00
- Request OIDC token from GitHub Actions - Pass token as API key to dotnet nuget push - This enables Trusted Publishing without storing secrets 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/nuget-publish.yml b/.github/workflows/nuget-publish.yml
@@ -44,7 +44,14 @@ jobs:
 
       - name: Publish packages to NuGet.org
         if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+        env:
+          NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          # Request OIDC token for NuGet Trusted Publishing
+          OIDC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" | jq -r '.value')
+
+          # Push package with OIDC token
           dotnet nuget push ./nupkg/*.nupkg \
             --source https://api.nuget.org/v3/index.json \
+            --api-key "$OIDC_TOKEN" \
             --skip-duplicate
diff --git a/SWEN3.Paperless.RabbitMq/Publishing/GenAIPublishingExtensions.cs b/SWEN3.Paperless.RabbitMq/Publishing/GenAIPublishingExtensions.cs
@@ -19,6 +19,10 @@ public static class GenAIPublishingExtensions
     /// <param name="publisher">The RabbitMQ publisher instance.</param>
     /// <param name="command">The GenAI command to publish.</param>
     /// <returns>A task representing the asynchronous operation.</returns>
+    /// <example>
+    ///     <code>var command = new GenAICommand(jobId, text);</code>
+    ///     <code>await publisher.PublishGenAICommandAsync(command);</code>
+    /// </example>
     public static async Task PublishGenAICommandAsync<T>(this IRabbitMqPublisher publisher, T command)
         where T : class =>
         await publisher.PublishAsync(RabbitMqSchema.GenAICommandRouting, command).ConfigureAwait(false);
diff --git a/SWEN3.Paperless.RabbitMq/RabbitMqExtensions.cs b/SWEN3.Paperless.RabbitMq/RabbitMqExtensions.cs
@@ -12,6 +12,7 @@ namespace SWEN3.Paperless.RabbitMq;
 /// <summary>
 ///     <para>Use <see cref="PublishingExtensions.PublishOcrCommandAsync{T}" /> to publish OCR commands.</para>
 ///     <para>Use <see cref="PublishingExtensions.PublishOcrEventAsync{T}" /> to publish OCR events.</para>
+///     <para>Use <see cref="GenAIPublishingExtensions.PublishGenAICommandAsync{T}" /> to publish GenAI commands (e.g., summaries).</para>
 ///     <para>Use <see cref="GenAIPublishingExtensions.PublishGenAIEventAsync{T}" /> to publish GenAI events.</para>
 ///     <para>Use <see cref="IRabbitMqConsumerFactory.CreateConsumerAsync{T}" /> to create message consumers.</para>
 ///     <para>Use <see cref="PaperlessEndpointExtensions.MapOcrEventStream" /> to map OCR SSE endpoint.</para>
