Trusted Publishing releases to NuGet#194
Conversation
There was a problem hiding this comment.
Pull Request Overview
Switch the release workflow to NuGet Trusted Publishing using OIDC to obtain a temporary API key at publish time, removing reliance on a long-lived NuGet API key.
- Add NuGet/login step to exchange OIDC for a temporary API key and update push to use it
- Add job environment set to production
- Remove static NUGET_API_KEY usage in favor of ephemeral key
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Also moved the relevant permissions for the package task
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - name: NuGet login (OIDC → temp API key) | ||
| uses: NuGet/login@v1 | ||
| id: nuget-login | ||
|
|
||
| - name: Push NuGet package | ||
| run: dotnet nuget push **\*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.NUGET_API_KEY }} No newline at end of file | ||
| run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} No newline at end of file |
There was a problem hiding this comment.
"The action reference NuGet/login@v1 does not exist and the output steps.nuget-login.outputs.NUGET_API_KEY is not provided by the official Trusted Publishing auth action. Use the official NuGet/actions/auth@v1 action and consume the NUGET_AUTH_TOKEN it sets. Example:
There was a problem hiding this comment.
This comment will be ignored, as the NuGet/login@v1 defnitely exists and matches the Trusted Publishing documentation
Leaving this comment audit trails.
| run: dotnet nuget push **\*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.NUGET_API_KEY }} No newline at end of file | ||
| run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} No newline at end of file |
There was a problem hiding this comment.
On ubuntu-latest, bash does not enable globstar by default, so **/.nupkg will not recurse into subdirectories and may not match your packed artifacts (e.g., bin/Release/.nupkg). Enable glob expansion or use find. For example:
run: |
shopt -s globstar nullglob
dotnet nuget push **/*.nupkg --source https://api.nuget.org/v3/index.json --api-key "$NUGET_AUTH_TOKEN"
| run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} | |
| run: | | |
| shopt -s globstar nullglob | |
| dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} |
Rationale for this PR
This PR replaces API key-based NuGet publishing with Trusted Publishing based releases. This is based on the documentation and release announcement for the same.
PR Checklist
Feel free to either check the following items (by place an
xinside of the square brackets) or by replacing the square brackets with a relevant emoji from the following list:Essential
These items are essential and must be completed for each commit. If they are not completed, the PR may not be accepted.
dotnet-formatcommand and fixed any .editorconfig issuesNote
The changelog in the
docs/directory will be updated automatically when PRs are merged into main.Optional
Any Other Information
I'm fully expecting the release action (which fires after all PRs) to fail completely because it will attempt to publish a version of the NuGet package with the same version number as the currently published version... if that makes sense.
Anyway, this will fail because NuGet doesn't allow you to publish the same version twice. And since this isn't a code change, I don't want to update the version number. I guess we'll see whether this works when the next PR which makes a code change is merged.