ci(csharp): use NuGet Trusted Publishing (OIDC) instead of API key#41
Open
mikemilla wants to merge 1 commit into
Open
ci(csharp): use NuGet Trusted Publishing (OIDC) instead of API key#41mikemilla wants to merge 1 commit into
mikemilla wants to merge 1 commit into
Conversation
Switch the publish-nuget workflow to NuGet Trusted Publishing so we no longer rely on a long-lived NUGET_API_KEY secret. The job now requests a GitHub OIDC token (id-token: write) and exchanges it for a short-lived nuget.org API key via the NuGet/login action. Requires a one-time Trusted Publishing policy on nuget.org and a NUGET_USER repo secret (nuget.org profile name). See the comment block at the top of the workflow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Switches
.github/workflows/publish-nuget.ymlfrom a long-livedNUGET_API_KEYsecret to NuGet Trusted Publishing (OIDC), per the Microsoft docs.The publish job now:
permissions: id-token: write),NuGet/login(pinned tov1.2.0SHA), andNo more long-lived publishing secret to store or rotate.
Required setup before this is merged/used
These cannot be done from a PR — they're account/repo settings:
TryCourierpackage:trycouriercourier-csharppublish-nuget.yml(file name only, no path)NUGET_USERrepo secret = the nuget.org account username/profile name (not an email) associated with the policy.Once both are set, the next release-triggered (or manual
workflow_dispatch) run publishes via OIDC.courier-csharpis a public repo, so the policy activates on first successful publish (the 7-day "pending full activation" window in the docs applies to private repos).Rollback
Revert this PR to return to the
NUGET_API_KEYsecret-based flow.This workflow file is generated by Stainless (it was added in
feat(csharp): enable NuGet publishing as TryCourier). Stainless's config only exposespublish.nuget: true(a boolean) with no OIDC/trusted-publishing option, so this change lives in the production repo. A regeneration could overwrite it — we should confirm Stainless preserves this, or request first-class trusted-publishing support so the change isn't reverted on the next codegen run.🤖 Generated with Claude Code