feat(nuget): add trusted publisher support with OIDC authentication (#1727)

mrgrain · web-flow · commit b99b8a26afb2 · 2025-09-30T08:29:03.000Z
* feat(nuget): add trusted publisher support with OIDC authentication

Implements NuGet Trusted Publishing to enable secure, keyless publishing
using GitHub Actions OIDC tokens instead of long-lived API keys.

- Add NUGET_TRUSTED_PUBLISHER and NUGET_USERNAME environment variables
- Implement OIDC token exchange with NuGet token service endpoint
- Maintain backward compatibility with existing NUGET_API_KEY workflow
- Update documentation with setup instructions and requirements

* GitLab not supported

* fix
diff --git a/README.md b/README.md
@@ -188,10 +188,30 @@ npx publib-nuget [DIR]
 
 **Options (environment variables):**
 
-| Option          | Required | Description                                                                    |
-| --------------- | -------- | ------------------------------------------------------------------------------ |
-| `NUGET_API_KEY` | Required | [NuGet API Key](https://www.nuget.org/account/apikeys) with "Push" permissions |
-| `NUGET_SERVER`  | Optional | NuGet Server URL (defaults to nuget.org)                                       |
+| Option                    | Required                   | Description                                                                                                                                                                                                       |
+| ------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `NUGET_TRUSTED_PUBLISHER` | Optional                   | Set to any value to use NuGet [Trusted Publisher](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing) authentication (OIDC). Requires a supported ambient identity (i.e. CI/CD environment).    |
+| `NUGET_USERNAME`          | for Trusted Publisher auth | NuGet.org username (profile name, not email address) for Trusted Publisher authentication.                                                                                                                        |
+| `NUGET_AUDIENCE`          | Optional                   | OIDC audience for token generation (defaults to `https://www.nuget.org`)                                                                                                                                          |
+| `NUGET_TOKEN_SERVICE_URL` | Optional                   | NuGet token service endpoint (defaults to `https://www.nuget.org/api/v2/token`)                                                                                                                                   |
+| `NUGET_API_KEY`           | Optional                   | [NuGet API Key](https://www.nuget.org/account/apikeys) with "Push" permissions. Not required when using Trusted Publishers. Also set to use a short-lived NuGet API key via e.g. <https://github.com/NuGet/login> |
+| `NUGET_SERVER`            | Optional                   | NuGet Server URL (defaults to nuget.org)                                                                                                                                                                          |
+
+### Trusted Publishers
+
+NuGet [Trusted Publishers](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing) allows publishing without API keys by using OpenID Connect (OIDC) authentication between a trusted third-party service and NuGet.org.
+
+**Trusted Publisher Setup:**
+
+1. Configure your NuGet.org project to use a [Trusted Publisher](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing)
+2. Set `NUGET_TRUSTED_PUBLISHER=1` in your workflow environment
+3. Set `NUGET_USERNAME` to your NuGet.org username (profile name)
+4. No `NUGET_API_KEY` needed
+
+**Requirements:**
+
+* **GitHub Actions**: Your workflow must have `id-token: write` permission.
+* **Python 3**: Required when using Trusted Publishers without providing `NUGET_API_KEY`. The `id` package is automatically installed.
 
 **Publish to GitHub Packages**\
 You can publish to GitHub Packages instead, with the following options:
diff --git a/bin/publib-nuget b/bin/publib-nuget
@@ -10,14 +10,57 @@ set -eu # we don't want "pipefail" to implement idempotency
 #
 # DIR is a directory with *.nupkg files (default is 'dist/dotnet')
 #
-# NUGET_API_KEY (required): API key for nuget
+# Two publishing modes are supported: Trusted Publisher (recommended) and API key (legacy).
+# Set environment variables accordingly.
 #
+# Trusted Publisher (recommended):
+# - NUGET_TRUSTED_PUBLISHER (required): set to any value
+# - NUGET_USERNAME (required): the NuGet.org username of the package owner
+# - NUGET_AUDIENCE (optional): OIDC audience for token generation (defaults to https://www.nuget.org)
+# - NUGET_TOKEN_SERVICE_URL (optional): NuGet token service endpoint (defaults to https://www.nuget.org/api/v2/token)#
+#
+# API Key:
+# - NUGET_API_KEY (required): API key for your account, created on nuget.org or use https://github.com/NuGet/login
+#
+# Generic options:
+# - NUGET_SERVER (optional): different NuGet server URL to use
 ###
 
 cd "${1:-"dist/dotnet"}"
 
-if [ -z "${NUGET_API_KEY:-}" ]; then
-    echo "NUGET_API_KEY is required"
+# Check for Trusted Publisher authentication
+if [ -n "${NUGET_TRUSTED_PUBLISHER:-}" ]; then
+    echo "Using NuGet Trusted Publisher authentication"
+    
+    if [ -z "${NUGET_USERNAME:-}" ]; then
+        echo "NUGET_USERNAME is required when using Trusted Publishers"
+        exit 1
+    fi
+    
+    # Install required packages
+    python3 -m pip install --user --upgrade id
+    
+    # Generate OIDC token using the id package
+    nuget_audience="${NUGET_AUDIENCE:-https://www.nuget.org}"
+    oidc_token=$(python3 -m id "$nuget_audience")
+    
+    # Exchange OIDC token for NuGet API key
+    nuget_token_service_url="${NUGET_TOKEN_SERVICE_URL:-https://www.nuget.org/api/v2/token}"
+    token_request_body=$(jq -n --arg username "$NUGET_USERNAME" '{username: $username, tokenType: "ApiKey"}')
+    
+    NUGET_API_KEY=$(curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer ${oidc_token}" \
+        -H "User-Agent: publib/nuget-publisher" \
+        -d "$token_request_body" \
+        "$nuget_token_service_url" | jq -r '.apiKey')
+    
+    if [ "$NUGET_API_KEY" = "null" ] || [ -z "$NUGET_API_KEY" ]; then
+        echo "Failed to exchange OIDC token for NuGet API key"
+        exit 1
+    fi
+elif [ -z "${NUGET_API_KEY:-}" ]; then
+    echo "NUGET_API_KEY is required or set NUGET_TRUSTED_PUBLISHER=1 with NUGET_USERNAME"
     exit 1
 fi
 
