Update to use trusted publishing (#242)

andrewlock · web-flow · commit 14abf3a6ea99 · 2026-03-05T21:55:54.000Z
diff --git a/.github/workflows/BuildAndPack.yml b/.github/workflows/BuildAndPack.yml
@@ -1,19 +1,3 @@
-# ------------------------------------------------------------------------------
-# <auto-generated>
-#
-#     This code was generated.
-#
-#     - To turn off auto-generation set:
-#
-#         [GitHubActions (AutoGenerate = false)]
-#
-#     - To trigger manual generation invoke:
-#
-#         nuke --generate-configuration GitHubActions_BuildAndPack --host GitHubActions
-#
-# </auto-generated>
-# ------------------------------------------------------------------------------
-
 name: BuildAndPack
 
 on:
@@ -43,6 +27,9 @@ jobs:
       DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: "true"
     name: ${{ matrix.os}}
     runs-on: ${{ matrix.vm}}
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-dotnet@v4
@@ -67,10 +54,17 @@ jobs:
             !~/.nuget/packages/netescapades.enumgenerators.interceptors
           key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj') }}
 
+      # Use the ambient GitHub token to login to NuGet and retrieve an API key
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER || 'NOT_SET' }}
+
       - name: Run './build.cmd Clean Test TestPackage PushToNuGet
         run: ./build.cmd Clean Test TestPackage PushToNuGet
         env:
-          NuGetToken: ${{ secrets.NUGET_TOKEN || 'NOT_SET'}}
+          NuGetToken: ${{ steps.login.outputs.NUGET_API_KEY || 'NOT_SET'}}
 
       - uses: actions/upload-artifact@v4
         with:
