ci(nuget): use Trusted Publishing auth (#1035)

dion-gionet · web-flow · commit bfb0cae2f859 · 2025-11-18T01:24:12.000-05:00
Issue: DEVOPS-3949
diff --git a/.github/workflows/nuget-publish.yml b/.github/workflows/nuget-publish.yml
@@ -353,6 +353,8 @@ jobs:
     if: ${{ needs.preflight.outputs.dry-run == 'false' }}
     needs: [preflight, build-managed]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - name: Download NuGet package artifact
@@ -361,6 +363,12 @@ jobs:
           name: ironrdp-nupkg
           path: package
 
+      - name: NuGet login (OIDC)
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_BOT_USERNAME }}
+
       - name: Publish to nuget.org
         run: |
           $Files = Get-ChildItem -Recurse package/*.nupkg
@@ -372,7 +380,7 @@ jobs:
               'push',
               "$File",
               '--api-key',
-              '${{ secrets.NUGET_API_KEY }}',
+              '${{ steps.nuget-login.outputs.NUGET_API_KEY }}',
               '--source',
               'https://api.nuget.org/v3/index.json',
               '--skip-duplicate'
