Skip to content

Use NuGet Trusted Publishing #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 24, 2025
Merged

Use NuGet Trusted Publishing #266

merged 2 commits into from
Sep 24, 2025

Conversation

martincostello
Copy link
Member

@martincostello martincostello commented Sep 11, 2025
edited
Loading

Changes

Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

Resolves #264.

TODO

  • Wait for Trusted Publishing to be available for our NuGet packages
  • Create Trusted Publishing policy in NuGet.org
  • Add nuget:user secret to Vault

Merge requirement checklist

  • Unit tests added/updated
  • CHANGELOG.md updated
  • Changes in public API reviewed (if applicable)

@martincostello
Use NuGet Trusted Publishing
f31b488 
Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

Resolves #264.
martincostello
martincostello commented Sep 18, 2025
View reviewed changes
@martincostello
Update action
7ee6603 
Update NuGet/login action to v1.1.0.
@Copilot Copilot AI review requested due to automatic review settings September 18, 2025 09:27
Copilot
Copilot AI reviewed Sep 18, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR switches the NuGet package publishing workflow from using API tokens to GitHub OIDC with Trusted Publishing, which provides better security by eliminating the need to store long-lived API keys.

  • Replaces vault secret retrieval from nuget:token to nuget:user
  • Introduces the NuGet/login action to authenticate using OIDC
  • Updates the environment variable source for the API key to use the output from the NuGet login action

@martincostello martincostello marked this pull request as ready for review September 23, 2025 08:24
@martincostello martincostello requested a review from a team as a code owner September 23, 2025 08:24
@martincostello martincostello enabled auto-merge (squash) September 23, 2025 08:25
@martincostello martincostello mentioned this pull request Sep 23, 2025
Open
@martincostello martincostello merged commit 32b8893 into main Sep 24, 2025
20 checks passed
@martincostello martincostello deleted the nuget-trusted-publishing branch September 24, 2025 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@matt-hensley matt-hensley matt-hensley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Switch to NuGet trusted publishing

2 participants

@martincostello @matt-hensley