CI: publish to nuget.org via Trusted Publishing (OIDC)

Replace the long-lived NUGET_DEPLOY_KEY with NuGet Trusted Publishing: the
project-build action now runs NuGet/login@v1 to exchange the GitHub OIDC token
for a short-lived nuget.org key right before the release push. Each publishing
workflow gets `id-token: write` and passes `nuget_user: ${{ secrets.NUGET_USER }}`.

Requires: a NUGET_USER secret (nuget.org profile name) and one Trusted Publishing
policy per package on nuget.org (Workflow File = the matching BitMono.<Pkg>.yaml).
The GitHub Packages nightly push still uses GITHUB_TOKEN.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: sunnamed434

.github/actions/project-build/action.yaml

@@ -19,8 +19,8 @@ inputs:
     description: 'Push to NuGet on release?'
     required: false
     default: false
-  nuget_key:
-    description: 'NuGet deploy key'
+  nuget_user:
+    description: 'nuget.org username (profile name) for Trusted Publishing via OIDC'
     required: false
   github_token:
     description: 'GitHub token'
@@ -103,9 +103,18 @@ runs:
         fi
       shell: bash
 
+    # Trusted Publishing (OIDC): exchange the GitHub token for a short-lived nuget.org API key,
+    # right before the push (the key expires in ~1h). Only on non-prerelease tags.
+    # Requires `id-token: write` on the calling workflow and a Trusted Publishing policy on nuget.org.
+    - name: NuGet login (OIDC -> temp key)
+      id: nuget-login
+      if: ${{ inputs.nuget_push == 'true' && github.event_name == 'create' && github.event.ref_type == 'tag' && steps.check-prerelease.outputs.is_prerelease == 'false' }}
+      uses: NuGet/login@v1
+      with:
+        user: ${{ inputs.nuget_user }}
+
     # Push to NuGet on each tag, but only if not a pre-release version (Release)
     - name: Push to NuGet (Release)
-      run: if ${{ inputs.nuget_push == 'true' && github.event_name == 'create' && github.event.ref_type == 'tag' && steps.check-prerelease.outputs.is_prerelease == 'false' }}; then
-        dotnet nuget push ${{ inputs.project_path }}/bin/Release/*.nupkg --api-key ${{ inputs.nuget_key }} --skip-duplicate --source https://api.nuget.org/v3/index.json;
-        fi
+      if: ${{ inputs.nuget_push == 'true' && github.event_name == 'create' && github.event.ref_type == 'tag' && steps.check-prerelease.outputs.is_prerelease == 'false' }}
+      run: dotnet nuget push ${{ inputs.project_path }}/bin/Release/*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --skip-duplicate --source https://api.nuget.org/v3/index.json
       shell: bash

.github/workflows/BitMono.API.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.API
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true

.github/workflows/BitMono.Core.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,6 +41,6 @@ jobs:
       with:
         project_path: src/BitMono.Core
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true
 

.github/workflows/BitMono.GlobalTool.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,7 +41,7 @@ jobs:
       with:
         project_path: src/BitMono.GlobalTool
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true
         use_runtime: false  # Because this is a dotnet tool.
 

.github/workflows/BitMono.Host.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.Host
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true

.github/workflows/BitMono.Integration.yaml

@@ -26,6 +26,7 @@ jobs:
     permissions:
       contents: read     # checkout
       packages: write    # dotnet nuget push -> nuget.pkg.github.com/sunnamed434
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -56,6 +57,6 @@ jobs:
         project_path: src/BitMono.Integration
         target_framework: net8.0
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true
         use_runtime: false  # build-tools / dev package, no RID

.github/workflows/BitMono.Obfuscation.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.Obfuscation
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true

.github/workflows/BitMono.Protections.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.Protections
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true

.github/workflows/BitMono.Runtime.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.Runtime
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true

.github/workflows/BitMono.Shared.yaml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write   # OIDC for NuGet Trusted Publishing
 
     steps:
     - uses: actions/checkout@v6
@@ -40,5 +41,5 @@ jobs:
       with:
         project_path: src/BitMono.Shared
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        nuget_key: ${{ secrets.NUGET_DEPLOY_KEY }}
+        nuget_user: ${{ secrets.NUGET_USER }}
         nuget_push: true