Skip to content

Trusted Publishing releases to NuGet#194

Merged
jamie-taylor-rjj merged 4 commits into
GaProgMan:mainfrom
jamie-taylor-rjj:feature/trusted-publishing-releases
Oct 18, 2025
Merged

Trusted Publishing releases to NuGet#194
jamie-taylor-rjj merged 4 commits into
GaProgMan:mainfrom
jamie-taylor-rjj:feature/trusted-publishing-releases

Conversation

@jamie-taylor-rjj

Copy link
Copy Markdown
Collaborator

Rationale for this PR

This PR replaces API key-based NuGet publishing with Trusted Publishing based releases. This is based on the documentation and release announcement for the same.

PR Checklist

Feel free to either check the following items (by place an x inside of the square brackets) or by replacing the square brackets with a relevant emoji from the following list:

  • ✅ to indicate that you have checked something off
  • ❎ to indicate that you haven't checked something off
  • ❓ to indicate that something might not be relevant (writing tests for documentation changes, for instance)

Essential

These items are essential and must be completed for each commit. If they are not completed, the PR may not be accepted.

  • [ ❓ ] I have added tests to the OwaspHeaders.Core.Tests project
  • [ ❓ ] I have run the dotnet-format command and fixed any .editorconfig issues
  • [ ❓ ] I have ensured that the code coverage has not dropped below 65%
  • [ ❓ ] I have increased the version number in OwaspHeaders.Core.csproj (only relevant for code changes)
  • [ ❓ ] I have updated the changelog in the root of the repository
  • [ ✅ ] I have avoided using primary constructors in the example project (see README for details)

Note

The changelog in the docs/ directory will be updated automatically when PRs are merged into main.

Optional

  • [ ❓ ] I have documented the new feature in the docs directory
  • [ ❓ ] I have provided a code sample, showing how someone could use the new code

Any Other Information

I'm fully expecting the release action (which fires after all PRs) to fail completely because it will attempt to publish a version of the NuGet package with the same version number as the currently published version... if that makes sense.

Anyway, this will fail because NuGet doesn't allow you to publish the same version twice. And since this isn't a code change, I don't want to update the version number. I guess we'll see whether this works when the next PR which makes a code change is merged.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Switch the release workflow to NuGet Trusted Publishing using OIDC to obtain a temporary API key at publish time, removing reliance on a long-lived NuGet API key.

  • Add NuGet/login step to exchange OIDC for a temporary API key and update push to use it
  • Add job environment set to production
  • Remove static NUGET_API_KEY usage in favor of ephemeral key

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/release.yml Outdated
Comment on lines +112 to +117
- name: NuGet login (OIDC → temp API key)
uses: NuGet/login@v1
id: nuget-login

- name: Push NuGet package
run: dotnet nuget push **\*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}}
env:
GITHUB_TOKEN: ${{ secrets.NUGET_API_KEY }} No newline at end of file
run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} No newline at end of file

Copilot AI Oct 18, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"The action reference NuGet/login@v1 does not exist and the output steps.nuget-login.outputs.NUGET_API_KEY is not provided by the official Trusted Publishing auth action. Use the official NuGet/actions/auth@v1 action and consume the NUGET_AUTH_TOKEN it sets. Example:

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment will be ignored, as the NuGet/login@v1 defnitely exists and matches the Trusted Publishing documentation

Leaving this comment audit trails.

Comment thread .github/workflows/release.yml Outdated
run: dotnet nuget push **\*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}}
env:
GITHUB_TOKEN: ${{ secrets.NUGET_API_KEY }} No newline at end of file
run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} No newline at end of file

Copilot AI Oct 18, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On ubuntu-latest, bash does not enable globstar by default, so **/.nupkg will not recurse into subdirectories and may not match your packed artifacts (e.g., bin/Release/.nupkg). Enable glob expansion or use find. For example:
run: |
shopt -s globstar nullglob
dotnet nuget push **/*.nupkg --source https://api.nuget.org/v3/index.json --api-key "$NUGET_AUTH_TOKEN"

Suggested change
run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }}
run: |
shopt -s globstar nullglob
dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }}

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/release.yml Outdated
@jamie-taylor-rjj jamie-taylor-rjj merged commit 28e9980 into GaProgMan:main Oct 18, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants