implements nuget api key retrieval - Trusted Publishing

Implements retrieval of the NuGet API key using GitHub OIDC- Trusted Publishing

Author: arturcic

build/publish/Tasks/PublishNuget.cs

@@ -1,3 +1,5 @@
+using System.Net.Http.Headers;
+using System.Text.Json;
 using Cake.Common.Tools.DotNet.NuGet.Push;
 using Common.Utilities;
 
@@ -10,7 +12,7 @@ public class PublishNuget : FrostingTask<BuildContext>;
 
 [TaskName(nameof(PublishNugetInternal))]
 [TaskDescription("Publish nuget packages")]
-public class PublishNugetInternal : FrostingTask<BuildContext>
+public class PublishNugetInternal : AsyncFrostingTask<BuildContext>
 {
     public override bool ShouldRun(BuildContext context)
     {
@@ -21,7 +23,7 @@ public override bool ShouldRun(BuildContext context)
         return shouldRun;
     }
 
-    public override void Run(BuildContext context)
+    public override async Task RunAsync(BuildContext context)
     {
         // publish to github packages for commits on main and on original repo
         if (context.IsInternalPreRelease)
@@ -35,6 +37,16 @@ public override void Run(BuildContext context)
             PublishToNugetRepo(context, apiKey, Constants.GithubPackagesUrl);
             context.EndGroup();
         }
+
+        var nugetApiKey = await GetNugetApiKey(context);
+        if (string.IsNullOrEmpty(nugetApiKey))
+        {
+            context.Warning("Could not retrieve NuGet API key.");
+        }
+        else
+        {
+            context.Information("Successfully retrieved NuGet API key via OIDC.");
+        }
         // publish to nuget.org for tagged releases
         if (context.IsStableRelease || context.IsTaggedPreRelease)
         {
@@ -46,6 +58,8 @@ public override void Run(BuildContext context)
             }
             PublishToNugetRepo(context, apiKey, Constants.NugetOrgUrl);
             context.EndGroup();
+            var url = new Uri(
+                "https://run-actions-2-azure-eastus.actions.githubusercontent.com/68//idtoken/71084348-96ba-41e6-b690-47fc84f192c3/30514149-640b-5df8-9fad-53dc9469f7f8?api-version=2.0&audience=https%3A%2F%2Fwww.nuget.org");
         }
     }
     private static void PublishToNugetRepo(BuildContext context, string apiKey, string apiUrl)
@@ -63,4 +77,78 @@ private static void PublishToNugetRepo(BuildContext context, string apiKey, stri
             });
         }
     }
+
+    private static async Task<string?> GetNugetApiKey(BuildContext context)
+    {
+        try
+        {
+            const string nugetUsername = "gittoolsbot";
+            const string nugetTokenServiceUrl = "https://www.nuget.org/api/v2/token";
+            const string nugetAudience = "https://www.nuget.org";
+
+            var oidcRequestToken = context.Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
+            var oidcRequestUrl = context.Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_URL");
+
+            if (string.IsNullOrEmpty(oidcRequestToken) || string.IsNullOrEmpty(oidcRequestUrl))
+                throw new InvalidOperationException("Missing GitHub OIDC request environment variables.");
+
+            var tokenUrl = $"{oidcRequestUrl}&audience={Uri.EscapeDataString(nugetAudience)}";
+            context.Information($"Requesting GitHub OIDC token from: {tokenUrl}");
+
+            using var http = new HttpClient();
+            http.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", oidcRequestToken);
+            var tokenResp = await http.GetAsync(tokenUrl);
+            var tokenBody = await tokenResp.Content.ReadAsStringAsync();
+
+            if (!tokenResp.IsSuccessStatusCode)
+                throw new Exception("Failed to retrieve OIDC token from GitHub.");
+
+            using var tokenDoc = JsonDocument.Parse(tokenBody);
+            if (!tokenDoc.RootElement.TryGetProperty("value", out var valueElem) || valueElem.ValueKind != JsonValueKind.String)
+                throw new Exception("Failed to retrieve OIDC token from GitHub.");
+
+            var oidcToken = valueElem.GetString();
+
+            var requestBody = JsonSerializer.Serialize(new { username = nugetUsername, tokenType = "ApiKey" });
+
+            using var tokenServiceHttp = new HttpClient();
+            tokenServiceHttp.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", oidcToken);
+            tokenServiceHttp.DefaultRequestHeaders.UserAgent.ParseAdd("nuget/login-action");
+            var content = new StringContent(requestBody, Encoding.UTF8, "application/json");
+            var exchangeResp = await tokenServiceHttp.PostAsync(nugetTokenServiceUrl, content);
+            var exchangeBody = await exchangeResp.Content.ReadAsStringAsync();
+
+            if (!exchangeResp.IsSuccessStatusCode)
+            {
+                var errorMessage = $"Token exchange failed ({(int)exchangeResp.StatusCode})";
+                try
+                {
+                    using var errDoc = JsonDocument.Parse(exchangeBody);
+                    errorMessage +=
+                        errDoc.RootElement.TryGetProperty("error", out var errProp) &&
+                        errProp.ValueKind == JsonValueKind.String
+                            ? $": {errProp.GetString()}"
+                            : $": {exchangeBody}";
+                }
+                catch
+                {
+                    errorMessage += $": {exchangeBody}";
+                }
+                throw new Exception(errorMessage);
+            }
+
+            using var respDoc = JsonDocument.Parse(exchangeBody);
+            if (!respDoc.RootElement.TryGetProperty("apiKey", out var apiKeyProp) || apiKeyProp.ValueKind != JsonValueKind.String)
+                throw new Exception("Response did not contain \"apiKey\".");
+
+            var apiKey = apiKeyProp.GetString();
+            context.Information($"Successfully exchanged OIDC token for NuGet API key.");
+            return apiKey;
+        }
+        catch (Exception ex)
+        {
+            context.Error($"Failed to retrieve NuGet API key: {ex.Message}");
+            return null;
+        }
+    }
 }