Merge pull request #5 from TimeWarpEngineering/Cramer/2025-12-22/dev

fix: pass NuGet API key from OIDC action to push command

Author: StevenTCramer

.github/workflows/ci-cd.yml

@@ -43,12 +43,18 @@ jobs:
 
       - name: NuGet login (OIDC Trusted Publishing)
         if: github.event_name == 'release'
+        id: nuget-login
         uses: nuget/login@v1
         with:
           user: TimeWarp.Enterprises
 
       - name: Run CI Pipeline
-        run: dotnet run --project tools/dev-cli/timewarp-terminal-dev-cli.csproj -- ci
+        run: |
+          if [ "${{ github.event_name }}" == "release" ]; then
+            dotnet run --project tools/dev-cli/timewarp-terminal-dev-cli.csproj -- ci --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}"
+          else
+            dotnet run --project tools/dev-cli/timewarp-terminal-dev-cli.csproj -- ci
+          fi
 
       - name: Upload Artifacts
         if: always()

kanban/done/003-configure-nuget-trusted-publishing-for-timewarpterminal.md

@@ -0,0 +1,45 @@
+# Fix NuGet Trusted Publishing API Key Passing
+
+## Description
+
+The CI/CD release workflow fails at the "Push to NuGet" step with a 401 Unauthorized error. Initial diagnosis incorrectly assumed NuGet Trusted Publishing wasn't configured - it was. The real issue was that the `nuget/login@v1` action outputs the API key but doesn't automatically make it available to `dotnet nuget push`. The key must be explicitly passed.
+
+## Checklist
+
+- [x] Investigate CI failure - found 401 error on push
+- [x] Verify NuGet Trusted Publishing is configured (it was already correct)
+- [x] Discover that `nuget/login@v1` only sets output, not environment variable
+- [x] Confirm blog post claiming "no API key needed" is misleading (author's own repo passes it explicitly)
+- [x] Add `--api-key` option to `ci-command.cs`
+- [x] Update `PushPackagesAsync` to use the API key
+- [x] Update `ci-cd.yml` to pass the API key from `nuget-login` step output
+- [x] Verify build succeeds
+- [ ] Create PR and verify release workflow works
+
+## Notes
+
+### Root Cause
+The `nuget/login@v1` action only does `core.setOutput('NUGET_API_KEY', apiKey)` - it does NOT:
+- Set an environment variable
+- Write to a NuGet config file
+- Make the key automatically available to subsequent `dotnet` commands
+
+### The Misleading Blog Post
+Gerald Versluis (Microsoft employee) wrote https://blog.verslu.is/nuget/trusted-publishing-easy-setup/ which claims:
+> "You don't need to explicitly pass the API key anymore. It's automatically used by the subsequent dotnet commands."
+
+But his actual workflow at https://github.com/jfversluis/maui-version/blob/main/.github/workflows/release.yml **does** pass the key explicitly:
+```yaml
+--api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}"
+```
+
+### Fix Applied
+1. Added `--api-key` option to `ci` command
+2. Updated workflow to pass the key on release events:
+```yaml
+dotnet run --project tools/dev-cli/timewarp-terminal-dev-cli.csproj -- ci --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}"
+```
+
+## Results
+
+Fixed the dev-cli and workflow to properly pass the NuGet API key from the OIDC login step to the push command.

source/timewarp-terminal/timewarp-terminal.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <!-- Independent versioning - not tied to Nuru version -->
-    <Version>1.0.0-beta.3</Version>
+    <Version>1.0.0-beta.2</Version>
     <AssemblyName>TimeWarp.Terminal</AssemblyName>
     <RootNamespace>TimeWarp.Terminal</RootNamespace>
     <Description>Terminal abstractions and widgets for console applications - IConsole, ITerminal, panels, tables, rules, and ANSI color support</Description>

tools/dev-cli/commands/ci-command.cs

@@ -19,6 +19,9 @@ internal sealed class CiCommand : ICommand<Unit>
   [Option("mode", "m", Description = "CI mode: pr, merge, or release (auto-detected from GITHUB_EVENT_NAME if not specified)")]
   public string? Mode { get; set; }
 
+  [Option("api-key", "k", Description = "NuGet API key for publishing (required for release mode)")]
+  public string? ApiKey { get; set; }
+
   internal sealed class Handler : ICommandHandler<CiCommand, Unit>
   {
     private readonly ITerminal Terminal;
@@ -42,7 +45,12 @@ public async ValueTask<Unit> Handle(CiCommand command, CancellationToken ct)
 
       if (mode == CiMode.Release)
       {
-        await RunReleaseWorkflowAsync(ct);
+        if (string.IsNullOrEmpty(command.ApiKey))
+        {
+          throw new InvalidOperationException("Release mode requires --api-key option for NuGet publishing");
+        }
+
+        await RunReleaseWorkflowAsync(command.ApiKey, ct);
       }
       else
       {
@@ -121,7 +129,7 @@ private async Task RunPrWorkflowAsync(CancellationToken ct)
       Terminal.WriteLine("===============================================================================");
     }
 
-    private async Task RunReleaseWorkflowAsync(CancellationToken ct)
+    private async Task RunReleaseWorkflowAsync(string apiKey, CancellationToken ct)
     {
       Terminal.WriteLine("Pipeline: clean -> build -> check-version -> pack -> push");
       Terminal.WriteLine("");
@@ -165,7 +173,7 @@ private async Task RunReleaseWorkflowAsync(CancellationToken ct)
       Terminal.WriteLine("===============================================================================");
       Terminal.WriteLine("  Step 5/5: Push to NuGet");
       Terminal.WriteLine("===============================================================================");
-      await PushPackagesAsync(repoRoot);
+      await PushPackagesAsync(repoRoot, apiKey);
 
       Terminal.WriteLine("");
       Terminal.WriteLine("===============================================================================");
@@ -204,7 +212,7 @@ private async Task PackProjectsAsync(string repoRoot)
       Terminal.WriteLine($"\nPackages created in: {artifactsDir}");
     }
 
-    private async Task PushPackagesAsync(string repoRoot)
+    private async Task PushPackagesAsync(string repoRoot, string apiKey)
     {
       string artifactsDir = Path.Combine(repoRoot, "artifacts", "packages");
 
@@ -235,11 +243,10 @@ private async Task PushPackagesAsync(string repoRoot)
 
         Terminal.WriteLine($"Pushing {package}.{version}.nupkg...");
 
-        // Using Trusted Publishing - no API key needed
-        // The NuGet/login@v1 action in GitHub Actions handles OIDC authentication
         int exitCode = await Shell.Builder("dotnet")
           .WithArguments(
             "nuget", "push", nupkgPath,
+            "--api-key", apiKey,
             "--source", "https://api.nuget.org/v3/index.json",
             "--skip-duplicate")
           .WithWorkingDirectory(repoRoot)

tools/dev-cli/generated/TimeWarp.Nuru.Analyzers/TimeWarp.Nuru.NuruAttributedRouteGenerator/GeneratedAttributedRoutes.g.cs

@@ -29,9 +29,10 @@ internal static class GeneratedAttributedRoutes
   internal static readonly global::TimeWarp.Nuru.CompiledRoute __Route_CiCommand = new global::TimeWarp.Nuru.CompiledRouteBuilder()
     .WithLiteral("ci")
     .WithOption("mode", shortForm: "m", parameterName: "mode", expectsValue: true, parameterType: "string", parameterIsOptional: true, description: "CI mode: pr, merge, or release (auto-detected from GITHUB_EVENT_NAME if not specified)", isOptionalFlag: true)
+    .WithOption("api-key", shortForm: "k", parameterName: "apiKey", expectsValue: true, parameterType: "string", parameterIsOptional: true, description: "NuGet API key for publishing (required for release mode)", isOptionalFlag: true)
     .WithMessageType(global::TimeWarp.Nuru.MessageType.Command)
     .Build();
-  internal const string __Pattern_CiCommand = "ci --mode,-m {mode?}";
+  internal const string __Pattern_CiCommand = "ci --mode,-m {mode?} --api-key,-k {apiKey?}";
 
   internal static readonly global::TimeWarp.Nuru.CompiledRoute __Route_CleanCommand = new global::TimeWarp.Nuru.CompiledRouteBuilder()
     .WithLiteral("clean")