Enable Trusted Publishing for NuGet with OIDC Authentication in CI workflow

mrbiggred · mrbiggred · commit 68c7fe27d417 · 2025-11-27T09:56:56.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,6 +69,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write # Required for Trusted Publishing (OIDC token generation)
 
     steps:
       - name: Install .NET 8.0
@@ -82,6 +84,12 @@ jobs:
           name: nuget-package
           path: ./packages
 
+      # Authenticate to NuGet.org using Trusted Publishing (OIDC)
+      - name: Login to NuGet
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_USERNAME }}
+
       # Only push tagged builds to NuGet. These will be production or release candidates.
       - name: Publish to NuGet
-        run: dotnet nuget push ./packages/SaturdayMP.XPlugins.iOS.BEMCheckBox.${{ needs.build.outputs.version }}.nupkg -k ${{ secrets.NUGET_API_KEY }} --skip-duplicate --no-symbols -s https://api.nuget.org/v3/index.json
+        run: dotnet nuget push ./packages/SaturdayMP.XPlugins.iOS.BEMCheckBox.${{ needs.build.outputs.version }}.nupkg --skip-duplicate --no-symbols -s https://api.nuget.org/v3/index.json
