Migrate NuGet publishing to Trusted Publishing for enhanced security

[Copilot]

Overview

This PR migrates the NuGet package publishing workflow from API key-based authentication to Trusted Publishing, following Microsoft's recommended security best practices for NuGet.org.

Problem

The current release workflow uses long-lived API keys stored as GitHub secrets (NUGET_KEY) to publish NuGet packages. This approach has several security and operational concerns:

• Security Risk: Long-lived API keys can be leaked or compromised
• Manual Management: Keys require periodic rotation and manual updates
• Operational Overhead: Key expiration requires intervention to prevent publishing failures
• Limited Auditability: Harder to track and audit publishing operations

Solution

Replaced the manual dotnet nuget push command with the azure/publish-nuget@v1 action that leverages OpenID Connect (OIDC) tokens for authentication. This implementation:

Changes Made

1. Added OIDC Permissions to the CLI job:

   permissions:
     id-token: write    # Required for OIDC token generation
     contents: read     # Required for repository access

2. Replaced Publishing Step:

   • Before: dotnet nuget push **/*.nupkg --api-key ${{ secrets.NUGET_KEY }} --source ${{ env.NUGET_REPO_URL }}
   • After: azure/publish-nuget@v1 action with package path configuration

3. Removed Unused Variables: Cleaned up NUGET_REPO_URL environment variable (no longer needed)

4. Added Documentation: Comprehensive comments in the workflow explaining Trusted Publishing setup requirements

How It Works

1. GitHub Actions generates a signed OIDC token scoped to this specific workflow
2. The azure/publish-nuget action sends the token to NuGet.org
3. NuGet.org validates the token against the configured Trusted Publishing policy
4. A temporary, short-lived API key is issued for the publishing operation
5. The package is published and the temporary credential expires immediately

Security Benefits

✅ No Long-Lived Secrets: Eliminates the need to store API keys as repository secrets
✅ Short-Lived Credentials: OIDC tokens expire automatically after use
✅ Scoped Access: Publishing credentials are tied to specific workflow and repository
✅ Automatic Rotation: No manual credential management required
✅ Better Compliance: Aligns with Microsoft and NuGet.org security recommendations
✅ Improved Auditability: Enhanced tracking of publishing operations

Required Setup (One-Time)

After merging this PR, the repository owner needs to configure Trusted Publishing on nuget.org:

1. Log into nuget.org
2. Navigate to Account Settings → Trusted Publishing
3. Add a new trusted publishing policy with:
   • Repository owner: christianhelle
   • Repository name: apiclientcodegen
   • Workflow: release.yml

Once configured, the workflow will automatically obtain secure, short-lived credentials without requiring the NUGET_KEY secret.

Validation

• ✅ YAML syntax validated
• ✅ Workflow structure verified programmatically
• ✅ OIDC permissions correctly configured
• ✅ No API key references remaining in publishing steps
• ✅ Publishing still conditional on master and release branches
• ✅ continue-on-error: true preserved for graceful failure handling

References

• NuGet Trusted Publishing Documentation
• GitHub OIDC Security Hardening
• azure/publish-nuget Action

Fixes #<issue_number>

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Migrate NuGet publishing in release workflows to Trusted Publishing</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
Currently, NuGet package publishing in the release workflows relies on API keys, which is less secure and requires manual management of credentials.

Describe the solution you'd like
Update the release workflows to use Trusted Publishing for NuGet.org, eliminating the need to manage API keys and improving security and maintainability.

Describe alternatives you've considered

• Continue using API keys (not recommended due to security and operational overhead)
• Explore other credential management solutions

Additional context
See documentation: https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing

This migration will help align publishing workflows with best practices recommended by NuGet.org and Microsoft.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1357

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Oct 08 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud