Skip to content

Use trusted publishing for NuGet #9090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tobias-tengler merged 1 commit into from
Feb 5, 2026
Merged

Use trusted publishing for NuGet #9090

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ on:
- "16.*"

permissions:
id-token: write
contents: read

jobs:
Expand All @@ -15,6 +14,7 @@ jobs:
runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write

steps:
- name: 📦 Checkout
Expand Down Expand Up @@ -49,11 +49,17 @@ jobs:
NitroApiClientId: ${{ secrets.NITRO_API_CLIENT_ID }}
NitroApiKey: ${{ secrets.NITRO_API_KEY }}

- name: NuGet login
uses: NuGet/login@v1
id: login
with:
user: ${{ secrets.NUGET_USERNAME }}
Comment on lines +52 to +56
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GitHub Action NuGet/login@v1 does not exist in the GitHub Actions marketplace. As of January 2025, there is no official NuGet login action provided by NuGet or GitHub.

For trusted publishing with NuGet, you typically need to:

  1. Configure trusted publishing on NuGet.org for your package(s) to trust GitHub Actions from your repository
  2. Use the OIDC token (via id-token: write permission) directly with the NuGet API
  3. Use dotnet nuget push with the --api-key parameter set to the OIDC token

The correct approach would be to either:

  • Remove this login step entirely and configure the publish command to use OIDC tokens directly
  • Use a valid community action if one exists (verify it exists first)
  • Create a custom script to authenticate using OIDC

Copilot uses AI. Check for mistakes.
Comment thread
tobias-tengler marked this conversation as resolved.

- name: 🚀 Push Packages to NuGet
run: |
./build.cmd publish --skip
env:
NuGetApiKey: ${{ secrets.NUGETAPIKEY }}
NuGetApiKey: ${{ steps.login.outputs.NUGET_API_KEY }}
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output steps.login.outputs.NUGET_API_KEY references a non-existent step output. Since the NuGet/login@v1 action does not exist (see previous comment), this output will not be available, causing the publish step to fail with an empty or undefined API key.

Additionally, trusted publishing with NuGet typically does not use API keys in the traditional sense - it uses OIDC tokens for authentication. The workflow should be updated to pass the appropriate authentication mechanism that NuGet's trusted publishing expects.

Copilot uses AI. Check for mistakes.

- name: 📤 Attach .nupkg assets to GitHub release
run: |
Expand Down
Loading