Skip to content

Use trusted publishing for NuGet#9090

Merged
tobias-tengler merged 1 commit intomainfrom
tte/nuget-trusted-publishing
Feb 5, 2026
Merged

Use trusted publishing for NuGet#9090
tobias-tengler merged 1 commit intomainfrom
tte/nuget-trusted-publishing

Conversation

@tobias-tengler
Copy link
Copy Markdown
Member

@tobias-tengler tobias-tengler commented Feb 5, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 5, 2026 13:42
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to implement trusted publishing for NuGet packages by moving the id-token: write permission from the workflow level to the job level and introducing a NuGet login step to replace the direct use of API keys.

Changes:

  • Moved id-token: write permission from workflow level to job level
  • Added a new "NuGet login" step using NuGet/login@v1 action
  • Changed the NuGet API key source from a direct secret to an output from the login step

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment on lines +52 to +56
- name: NuGet login
uses: NuGet/login@v1
id: login
with:
user: ${{ secrets.NUGET_USERNAME }}
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GitHub Action NuGet/login@v1 does not exist in the GitHub Actions marketplace. As of January 2025, there is no official NuGet login action provided by NuGet or GitHub.

For trusted publishing with NuGet, you typically need to:

  1. Configure trusted publishing on NuGet.org for your package(s) to trust GitHub Actions from your repository
  2. Use the OIDC token (via id-token: write permission) directly with the NuGet API
  3. Use dotnet nuget push with the --api-key parameter set to the OIDC token

The correct approach would be to either:

  • Remove this login step entirely and configure the publish command to use OIDC tokens directly
  • Use a valid community action if one exists (verify it exists first)
  • Create a custom script to authenticate using OIDC

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/release.yml
./build.cmd publish --skip
env:
NuGetApiKey: ${{ secrets.NUGETAPIKEY }}
NuGetApiKey: ${{ steps.login.outputs.NUGET_API_KEY }}
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output steps.login.outputs.NUGET_API_KEY references a non-existent step output. Since the NuGet/login@v1 action does not exist (see previous comment), this output will not be available, causing the publish step to fail with an empty or undefined API key.

Additionally, trusted publishing with NuGet typically does not use API keys in the traditional sense - it uses OIDC tokens for authentication. The workflow should be updated to pass the appropriate authentication mechanism that NuGet's trusted publishing expects.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/release.yml
@tobias-tengler tobias-tengler merged commit a1d1d5a into main Feb 5, 2026
121 checks passed
@tobias-tengler tobias-tengler deleted the tte/nuget-trusted-publishing branch February 5, 2026 13:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 5, 2026

🚀 Fusion Gateway Performance Results

Simple Composite Query

Constant Load (50 VUs)

Requests/sec Error Rate
5888.51 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
0.76ms 7.08ms 162.25ms 8.34ms 12.76ms 18.12ms

Ramping Load (0→50→500→50 VUs)

Requests/sec Error Rate
4562.59 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
0.72ms 38.50ms 241.94ms 48.60ms 109.93ms 128.87ms

Executed Query

fragment User on User {
  id
  username
  name
}

fragment Review on Review {
  id
  body
}

fragment Product on Product {
  inStock
  name
  price
  shippingEstimate
  upc
  weight
}

query TestQuery {
  topProducts(first: 5) {
    ...Product
    reviews {
      ...Review
      author {
        ...User
      }
    }
  }
}

Deep Recursion Query

Constant Load (50 VUs)

Requests/sec Error Rate
272.26 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
12.78ms 173.08ms 564.66ms 178.13ms 223.09ms 245.93ms

Ramping Load (0→50→500→50 VUs)

Requests/sec Error Rate
305.77 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
3.06ms 654.35ms 1708.90ms 689.61ms 1375.61ms 1462.42ms

Executed Query

fragment User on User {
  id
  username
  name
}

fragment Review on Review {
  id
  body
}

fragment Product on Product {
  inStock
  name
  price
  shippingEstimate
  upc
  weight
}

query TestQuery {
  users {
    ...User
    reviews {
      ...Review
      product {
        ...Product
        reviews {
          ...Review
          author {
            ...User
            reviews {
              ...Review
              product {
                ...Product
              }
            }
          }
        }
      }
    }
  }
  topProducts(first: 5) {
    ...Product
    reviews {
      ...Review
      author {
        ...User
        reviews {
          ...Review
          product {
            ...Product
          }
        }
      }
    }
  }
}

Variable Batching Throughput

Constant Load (50 VUs)

Requests/sec Error Rate
23636.87 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
0.09ms 1.70ms 44.03ms 2.06ms 3.93ms 4.81ms

Ramping Load (0→50→500→50 VUs)

Requests/sec Error Rate
18734.97 req/s 0.00%
📊 Response Time Metrics
Min Med Max Avg P90 P95
0.09ms 9.30ms 103.11ms 11.33ms 23.34ms 28.11ms

Executed Query

query TestQuery_8f7a46ce_2(
  $__fusion_1_upc: ID!
  $__fusion_2_price: Long!
  $__fusion_2_weight: Long!
) {
  productByUpc(upc: $__fusion_1_upc) {
    inStock
    shippingEstimate(weight: $__fusion_2_weight, price: $__fusion_2_price)
  }
}

Variables (5 sets batched in single request)

[
  { "__fusion_1_upc": "1", "__fusion_2_price": 899, "__fusion_2_weight": 100 },
  { "__fusion_1_upc": "2", "__fusion_2_price": 1299, "__fusion_2_weight": 1000 },
  { "__fusion_1_upc": "3", "__fusion_2_price": 15, "__fusion_2_weight": 20 },
  { "__fusion_1_upc": "4", "__fusion_2_price": 499, "__fusion_2_weight": 100 },
  { "__fusion_1_upc": "5", "__fusion_2_price": 1299, "__fusion_2_weight": 1000 }
]

No baseline data available for comparison.

Run 21713775950 • Commit d29e732 • Thu, 05 Feb 2026 14:00:42 GMT

@dependabot dependabot Bot mentioned this pull request Feb 16, 2026
Closed
@dependabot dependabot Bot mentioned this pull request Mar 2, 2026
Closed
@dependabot dependabot Bot mentioned this pull request Mar 16, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

🧰 maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tobias-tengler