ci: use NUGET_USER_NAME env secret for trusted publishing (#266)

amis92 · Copilot · web-flow · commit 4b7889a1ce95 · 2026-02-28T17:39:03.000+01:00
- publish.yml: use secrets.NUGET_USER_NAME instead of hardcoded user
- deploy-command.yml: add secrets: inherit to pass env secrets
- README: document NUGET_USER_NAME secret requirement

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/deploy-command.yml b/.github/workflows/deploy-command.yml
@@ -21,3 +21,4 @@ jobs:
       push-to: ${{ github.event.client_payload.slash_command.args.named.env || 'github' }}
       tag: ${{ github.event.client_payload.slash_command.args.unnamed.arg1 == 'tag' }}
       comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+    secrets: inherit
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -112,7 +112,7 @@ jobs:
         uses: NuGet/login@v1
         id: nuget-login
         with:
-          user: warhub
+          user: ${{ secrets.NUGET_USER_NAME }}
 
       - name: Push to nuget.org
         if: env.PUSH_TO == 'all' || env.PUSH_TO == 'nuget'
diff --git a/README.md b/README.md
@@ -119,6 +119,9 @@ NuGet.org publishing uses [Trusted Publishing](https://learn.microsoft.com/en-us
 The `push` job in `publish.yml` uses `environment: package-release` which provides
 environment protection rules (e.g. required reviewers) as a gate before publishing.
 
+The NuGet profile name is configured via the `NUGET_USER_NAME` environment secret
+on the `package-release` environment.
+
 ### Tagging
 
 Tags can also be created via the **Tag** workflow:
