Skip to content

feat(actions): add nuget trusted publishing #1277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AArnott merged 2 commits into from
Sep 27, 2025
Merged

feat(actions): add nuget trusted publishing #1277

AArnott merged 2 commits into from
Sep 27, 2025
+8 −8

Conversation

@micheloliveira-com
Copy link
Contributor

@micheloliveira-com micheloliveira-com commented Sep 26, 2025

Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

  • Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner (Nerdbank in this case).
  • The old secrets.NUGET_API_KEY secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

  1. Sign in to NuGet.org.
  2. Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
  3. Create a policy:
    • Package owner: you or your organization (e.g. Nerdbank).
    • Repository owner: your GitHub org/user (e.g. dotnet).
    • Repository name: repository name (e.g. Nerdbank.GitVersioning).
    • Workflow file: the YAML file under .github/workflows/ (e.g. release.yml).
    • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.

@micheloliveira-com
Copy link
Contributor Author

micheloliveira-com commented Sep 26, 2025

Note: I think leaving NuGet/login without a SHA hash is fine since it's an official Microsoft action.

  • Forcing a SHA might break in future core NuGet changes...

@AArnott
Copy link
Collaborator

AArnott commented Sep 27, 2025

I think leaving NuGet/login without a SHA hash is fine since it's an official Microsoft action

If you know how to configure renovate to share that policy, I'd welcome that. :)
I expect it's possible... but I'm not sure it's worth the time to figure it out.

AArnott
AArnott approved these changes Sep 27, 2025
View reviewed changes
Copy link
Collaborator

@AArnott AArnott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@AArnott AArnott enabled auto-merge September 27, 2025 14:48
@AArnott AArnott added this pull request to the merge queue Sep 27, 2025
Merged via the queue into dotnet:main with commit 0454778 Sep 27, 2025
12 checks passed
This was referenced Nov 5, 2025
Merged
Merged
Closed
Merged
Merged
Merged
Open
Merged
Merged
Merged
Merged
Merged
Open
Merged
Open
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Nov 24, 2025
Closed
Closed
Merged
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Open
Open
Closed
Merged
This was referenced Dec 1, 2025
Closed
Closed
Open
Open
Open
Closed
Closed
Closed
Closed
Closed
Open
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AArnott AArnott AArnott approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@micheloliveira-com @AArnott