Skip to content

feat(actions): add nuget trusted publishing #6788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 27, 2025
Merged

feat(actions): add nuget trusted publishing #6788

merged 4 commits into from
Sep 27, 2025

Conversation

@micheloliveira-com
Copy link
Contributor

@micheloliveira-com micheloliveira-com commented Sep 26, 2025
edited by ArgoZhang
Loading

Link issues

fixed #6791

Summary By Copilot

Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

  • Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner (BootstrapBlazor in this case).
  • The old secrets.NUGET_API_KEY secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

  1. Sign in to NuGet.org.
  2. Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
  3. Create a policy:
    • Package owner: you or your organization (e.g. BootstrapBlazor).
    • Repository owner: your GitHub org/user (e.g. dotnetcore).
    • Repository name: repository name (e.g. BootstrapBlazor).
    • Workflow file: the YAML file under .github/workflows/ (e.g. pack.yml).
    • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

☑️ Self Check before Merge

⚠️ Please check all items below before review. ⚠️

  • Doc is updated/provided or not needed
  • Demo is updated/provided or not needed
  • Merge the latest code from the main branch

Summary by Sourcery

Enable secure package publishing to NuGet.org by integrating the new Trusted Publishing workflow with id-token permissions and ephemeral credentials.

New Features:

  • Add GitHub Actions support for NuGet Trusted Publishing

Enhancements:

  • Grant id-token write permission for the workflow
  • Introduce NuGet/login action with secrets.NUGET_USER to fetch an ephemeral API key
  • Replace direct NUGET_API_KEY secret with the output from the login step

@bb-auto
Copy link

bb-auto bot commented Sep 26, 2025

Thanks for your PR, @micheloliveira-com. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Sep 26, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR enhances the NuGet package publishing workflow by enabling GitHub’s OIDC token, integrating the NuGet/login@v1 action with a secrets-based username, and swapping the static API key for a dynamically obtained key to support NuGet’s Trusted Publishing feature.

Sequence diagram for NuGet Trusted Publishing workflow

sequenceDiagram
  participant Workflow as "GitHub Actions Workflow"
  participant NuGetLogin as "NuGet/login@v1 Action"
  participant NuGetOrg as "NuGet.org"
  participant Secrets as "GitHub Secrets"

  Workflow->>NuGetLogin: Request login with secrets.NUGET_USER
  NuGetLogin->>Secrets: Retrieve NUGET_USER
  NuGetLogin->>NuGetOrg: Authenticate using OIDC token
  NuGetOrg-->>NuGetLogin: Return temporary NUGET_API_KEY
  NuGetLogin-->>Workflow: Output NUGET_API_KEY
  Workflow->>NuGetOrg: Publish package using NUGET_API_KEY
Loading

File-Level Changes

Change Details Files
Enable OIDC-based publishing permissions
  • Added permissions.id-token: write to grant OIDC token issuance
 .github/workflows/pack.yml
Insert NuGet login step for trusted publishing
  • Added a NuGet/login@v1 step with id nuget-login
  • Configured it to use secrets.NUGET_USER as the profile name
 .github/workflows/pack.yml
Switch publishing to use dynamic API key
  • Replaced direct secrets.NUGET_API_KEY environment variable
  • Pointed NUGET_API_KEY env to steps.nuget-login.outputs.NUGET_API_KEY
 .github/workflows/pack.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@bb-auto bb-auto bot requested a review from ArgoZhang September 26, 2025 18:52
sourcery-ai[bot]
sourcery-ai bot requested changes Sep 26, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!

Blocking issues:

  • An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
Prompt for AI Agents 
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/pack.yml:25` </location>
<code_context>
      uses: NuGet/login@v1
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@micheloliveira-com
Copy link
Contributor Author

micheloliveira-com commented Sep 26, 2025
edited
Loading

@ArgoZhang Hello.

I think remaining without a SHA hash on NuGet/login is fine because it's an official action from Microsoft (like actions/setup-dotnet@v4).

Fixing a SHA may break in some future core NuGet changes as well.

@ArgoZhang
Copy link
Member

ArgoZhang commented Sep 27, 2025

@micheloliveira-com thanks for your PR. We are completing the GitHub Star Achievement task, could you give this project a star?

@codecov
Copy link

codecov bot commented Sep 27, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (d325482) to head (4cd4610).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main     #6788   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          739       739           
  Lines        31721     31721           
  Branches      4464      4464           
=========================================
  Hits         31721     31721
Flag Coverage Δ
BB 100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ArgoZhang ArgoZhang self-assigned this Sep 27, 2025
@ArgoZhang ArgoZhang added the chore This are tasks or bot action label Sep 27, 2025
@ArgoZhang ArgoZhang added this to the 9.10.0 milestone Sep 27, 2025
@ArgoZhang ArgoZhang requested a review from Copilot September 27, 2025 03:52
Copilot AI reviewed Sep 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements NuGet Trusted Publishing for enhanced security in package deployment, replacing traditional long-lived API keys with ephemeral tokens generated through OpenID Connect authentication.

  • Add id-token: write permission to enable OIDC token generation
  • Integrate NuGet/login action to obtain temporary API keys using GitHub's trusted publishing
  • Update environment variable to use the ephemeral API key from the login step

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
BootstrapBlazor.slnx Add GitHub Actions workflow files to solution structure
.github/workflows/pack.yml Implement NuGet trusted publishing with OIDC authentication

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@ArgoZhang
Copy link
Member

ArgoZhang commented Sep 27, 2025

@source-ai review

@ArgoZhang ArgoZhang merged commit f5960e7 into dotnetcore:main Sep 27, 2025
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] requested changes

@ArgoZhang ArgoZhang ArgoZhang approved these changes

Assignees

@ArgoZhang ArgoZhang

Labels

chore This are tasks or bot action

Projects

None yet

Milestone

v9.10.0

Development

Successfully merging this pull request may close these issues.

chore(Nuget): update nuget login v1

2 participants

@micheloliveira-com @ArgoZhang