Use new GitHub OIDC token for publish (#29)

emilklasson · web-flow · commit fdc6c75c9617 · 2026-03-18T10:51:44.000+01:00
diff --git a/.github/workflows/publish_to_NuGet.yml b/.github/workflows/publish_to_NuGet.yml
@@ -7,11 +7,23 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # enable GitHub OIDC token issuance for this job
 
     steps:
       - uses: actions/checkout@v6
 
       - run: dotnet restore
       - run: dotnet build --configuration Release --no-restore --warnaserror
       - run: dotnet pack --configuration Release -o out/Release -p:PackageVersion=${GITHUB_REF/refs\/tags\/v/''}
-      - run: dotnet nuget push out/Release/*.nupkg --skip-duplicate --source https://api.nuget.org/v3/index.json
+
+      # Get a short-lived NuGet API key
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }} 
+      
+      # Push the package
+      - name: NuGet push
+        run: dotnet nuget push out/Release/*.nupkg --skip-duplicate --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source https://api.nuget.org/v3/index.json
