Skip to content

Use NuGet Trusted Publishing #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 23, 2025
Merged

Use NuGet Trusted Publishing #1110

merged 1 commit into from
Sep 23, 2025

Conversation

@martincostello
Copy link
Member

@martincostello martincostello commented Sep 23, 2025

Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

@kevinchalet Could you update the repository configuration so this will work please?

Steps:

  1. Create an environment called NuGet.org
  2. Add a secret to the NuGet.org environment named NUGET_USER whose value is my NuGet.org username (it's not a secret, but I think it's better not to be hard-coded in the workflow 😃)
  3. (Optionally) delete the NUGET_API_KEY secret

@martincostello
Use NuGet Trusted Publishing
05aee79 
Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.
@martincostello martincostello added enhancement dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 23, 2025
@kevinchalet
Copy link
Member

kevinchalet commented Sep 23, 2025

@kevinchalet Could you update the repository configuration so this will work please?

Done on both repos. Let me know if you need anything else 😃

(Optionally) delete the NUGET_API_KEY secret

Once we're 100% sure NTP works as intended, I'll take care of that 👍🏻

@martincostello
Copy link
Member Author

martincostello commented Sep 23, 2025

Once we're 100% sure NTP works as intended

I hope it does, as I used it to publish this 😅

@martincostello martincostello marked this pull request as ready for review September 23, 2025 10:08
Copilot AI review requested due to automatic review settings September 23, 2025 10:08
@martincostello martincostello merged commit 35e8b40 into dev Sep 23, 2025
11 checks passed
@martincostello martincostello deleted the nuget-trusted-publishing branch September 23, 2025 10:08
Copilot AI reviewed Sep 23, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Migrates the NuGet package publishing workflow from using a static API key to GitHub OIDC-based Trusted Publishing for enhanced security. This change eliminates the need for storing a long-lived NuGet API key as a repository secret.

  • Adds GitHub environment configuration for NuGet.org with required OIDC permissions
  • Integrates NuGet login action to obtain temporary API key through trusted publishing
  • Updates package push step to use dynamically generated API key

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@martincostello martincostello mentioned this pull request Sep 23, 2025
Merged
@martincostello
Copy link
Member Author

martincostello commented Sep 30, 2025

Once we're 100% sure NTP works as intended, I'll take care of that 👍🏻

Looks like it's working.

@kevinchalet
Copy link
Member

kevinchalet commented Sep 30, 2025

Looks like it's working.

Great! I deleted the API key on NuGet.org and removed the corresponding secret here 😃

This was referenced Sep 30, 2025
Open
Merged
This was referenced Oct 23, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file enhancement github_actions Pull requests that update GitHub Actions code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martincostello @kevinchalet