Skip to content

Update to use NuGet trusted publishing #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
baronfel merged 4 commits into from
Oct 13, 2025
Merged

Update to use NuGet trusted publishing #40

baronfel merged 4 commits into from
Oct 13, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 13, 2025
edited
Loading

  • Update .github/workflows/publish.yml to use NuGet trusted publishing
    • Add permissions block with id-token: write and contents: write
    • Add NuGet login step using NuGet/login@v1
    • Update push step to use API key from login output
    • Remove dependency on secrets.NUGET_KEY
  • Verify the workflow changes are minimal and correct
  • Revert unintended changes to src/packages.lock.json

Summary

Updated the publish.yml workflow to use NuGet trusted publishing following the same approach used in FsAutoComplete. The changes include:

  1. Added permissions block at the top level to enable OIDC token generation:

    • id-token: write - Required for NuGet trusted publishing
    • contents: write - Required to create releases

  2. Added NuGet login step that uses NuGet/login@v1 action:

    • Gets a short-lived API key from NuGet using OIDC authentication
    • Requires secrets.NUGET_USER to be configured

  3. Updated push step to use the API key from the login step output:

    • Changed from ${{ secrets.NUGET_KEY }} to ${{steps.login.outputs.NUGET_API_KEY}}
    • This eliminates the need for long-lived API keys stored in GitHub secrets

These minimal changes enable secure, short-lived authentication with NuGet using OIDC federation, improving security by removing the need for permanent API keys.

Original prompt

This section details on the original issue you should resolve

<issue_title>Update to use NuGet trusted publishing</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.

NuGet has a new mechanism for getting short-lived API keys for publishing. I've set up one for this repo, and we should onboard to using it in publish.yml like we've done in FSAC.
</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #39

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Update to use NuGet trusted publishing key Update to use NuGet trusted publishing Oct 13, 2025
Copilot AI requested a review from baronfel October 13, 2025 14:44
baronfel
baronfel requested changes Oct 13, 2025
View reviewed changes
Copilot AI requested a review from baronfel October 13, 2025 15:12
@baronfel baronfel marked this pull request as ready for review October 13, 2025 16:02
@baronfel baronfel merged commit 746bf32 into main Oct 13, 2025
2 checks passed
@baronfel baronfel deleted the copilot/update-nuget-publishing branch October 13, 2025 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheAngryByrd TheAngryByrd TheAngryByrd approved these changes

+1 more reviewer

@baronfel baronfel baronfel approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@baronfel baronfel

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update to use NuGet trusted publishing

3 participants

@baronfel @TheAngryByrd