Use NuGet trusted publishing instead of API keys

christianhelle · christianhelle · commit cf424b9d1845 · 2025-10-08T09:22:27.000+02:00
diff --git a/.github/workflows/release-template.yml b/.github/workflows/release-template.yml
@@ -10,6 +10,9 @@ on:
 env:
   NUGET_REPO_URL: "https://api.nuget.org/v3/index.json"
 
+permissions:
+  id-token: write
+
 jobs:
   CLI:
     name: 🚚 Prepare new release
@@ -37,8 +40,13 @@ jobs:
           path: |
             **/*.nupkg
             README.md
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: christian.helle
       - name: Push packages to NuGet
-        run: dotnet nuget push **/*.nupkg --api-key ${{ secrets.NUGET_KEY }} --source ${{ env.NUGET_REPO_URL }} --no-symbols
+        run: dotnet nuget push **/*.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source ${{ env.NUGET_REPO_URL }} --no-symbols
       - name: Create tag
         uses: actions/github-script@v8
         with:
