chore(ci): adopt NuGet trusted publishing (OIDC) for releases#11
Merged
Conversation
Replaces the long-lived NUGET_KEY repo secret with NuGet trusted publishing per the netclaw-dev/skill-server pattern and Microsoft's guidance: https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing Workflow changes (.github/workflows/publish_nuget.yml): - permissions.id-token: write (required for OIDC token issuance) - environment: nuget on the publish-nuget job (links to the GitHub environment that backs the trusted publisher policy on nuget.org) - New step: NuGet/login@v1 with user: ${{ secrets.NUGET_USER }} — exchanges the OIDC token for a short-lived NuGet API key - dotnet nuget push uses ${{ steps.nuget-login.outputs.NUGET_API_KEY }} instead of ${{ secrets.NUGET_KEY }} - Now also pushes .snupkg (symbol package) and uploads it to the GitHub release alongside the .nupkg TOOLING.md updates: - "NuGet" section mentions the trusted-publishing flow - New subsection "NuGet trusted publishing" documents the one-time nuget.org policy + GitHub environment setup the package owner must complete before the next release can succeed One-time setup required before next tag push: - nuget.org → Account → Trusted Publisher Policies → add policy for GitHub Actions / Aaronontheweb / ShellSyntaxTree / publish_nuget.yml / environment "nuget" - Repo Settings → Environments → create "nuget" environment - Repo Settings → Secrets → set NUGET_USER (nuget.org username); legacy NUGET_KEY can be deleted once verified The workflow file is the single source of truth; if the trusted publisher policy isn't configured at tag time, the publish step fails with a clear "OIDC token rejected" error and no package is pushed (safer fail-mode than the legacy long-lived API key).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the long-lived
NUGET_KEYrepo secret with NuGet trusted publishing (OIDC). Pattern lifted fromnetclaw-dev/skill-server's release workflow and matches Microsoft's guidance.Workflow changes (
.github/workflows/publish_nuget.yml)permissions: id-token: write— required for OIDC token issuance to the workflowenvironment: nugeton thepublish-nugetjob — links to a GitHub environment that pairs with the trusted publisher policy on nuget.orgNuGet/login@v1withuser: \${{ secrets.NUGET_USER }}— exchanges the OIDC token for a short-lived NuGet API keydotnet nuget pushuses\${{ steps.nuget-login.outputs.NUGET_API_KEY }}instead of\${{ secrets.NUGET_KEY }}.snupkg(symbol package) and attaches it to the GitHub release alongside the.nupkgThis PR doesn't configure the nuget.org policy or the GitHub environment — those are out-of-band manual steps the package owner must complete. Until they're in place, the next `v..` tag push will fail at the
NuGet login (OIDC)step.*On nuget.org
AarononthewebShellSyntaxTreepublish_nuget.ymlnugetNUGET_USERbelow)ShellSyntaxTree*(scopes the policy to this package family)On the repo
nuget. Optional: restrict deployment to tags matchingv*.*.*.NUGET_USER(your nuget.org account username — NOT an API key). The legacyNUGET_KEYsecret can be deleted once trusted publishing is verified working.TOOLING.md
Updated the "NuGet" section to describe the new flow plus a new "NuGet trusted publishing" subsection documenting the one-time setup so future contributors find the instructions in the repo.
Verification
nugetenvironment are in placeid-token: writepermission only takes effect on tag-push runs, so this PR's ownpr_validation.ymlrun won't exercise it (pr_validation.ymlis unchanged)Test plan
Test-ubuntu-latestTest-windows-latestNext
After this PR merges and the one-time nuget.org + repo-environment setup is done, push the
v0.1.0-alphatag (deliberately deferred at PR 7).publish_nuget.ymlwill use the OIDC flow to publish.