Skip to content

ci(csharp): use NuGet Trusted Publishing (OIDC) instead of API key#41

Open
mikemilla wants to merge 1 commit into
mainfrom
mike/nuget-trusted-publishing
Open

ci(csharp): use NuGet Trusted Publishing (OIDC) instead of API key#41
mikemilla wants to merge 1 commit into
mainfrom
mike/nuget-trusted-publishing

Conversation

@mikemilla

Copy link
Copy Markdown
Contributor

What

Switches .github/workflows/publish-nuget.yml from a long-lived NUGET_API_KEY secret to NuGet Trusted Publishing (OIDC), per the Microsoft docs.

The publish job now:

  • requests a GitHub-signed OIDC token (permissions: id-token: write),
  • exchanges it for a short-lived (1h) nuget.org API key via NuGet/login (pinned to v1.2.0 SHA), and
  • pushes with that ephemeral key.

No more long-lived publishing secret to store or rotate.

Required setup before this is merged/used

These cannot be done from a PR — they're account/repo settings:

  1. Create the Trusted Publishing policy on nuget.org (username menu → Trusted Publishing), owned by the org/user that owns the TryCourier package:
    • Repository Owner: trycourier
    • Repository: courier-csharp
    • Workflow File: publish-nuget.yml (file name only, no path)
    • Environment: (leave empty)
  2. Add a NUGET_USER repo secret = the nuget.org account username/profile name (not an email) associated with the policy.

Once both are set, the next release-triggered (or manual workflow_dispatch) run publishes via OIDC. courier-csharp is a public repo, so the policy activates on first successful publish (the 7-day "pending full activation" window in the docs applies to private repos).

Rollback

Revert this PR to return to the NUGET_API_KEY secret-based flow.

⚠️ Note on Stainless codegen

This workflow file is generated by Stainless (it was added in feat(csharp): enable NuGet publishing as TryCourier). Stainless's config only exposes publish.nuget: true (a boolean) with no OIDC/trusted-publishing option, so this change lives in the production repo. A regeneration could overwrite it — we should confirm Stainless preserves this, or request first-class trusted-publishing support so the change isn't reverted on the next codegen run.

🤖 Generated with Claude Code

Switch the publish-nuget workflow to NuGet Trusted Publishing so we no
longer rely on a long-lived NUGET_API_KEY secret. The job now requests a
GitHub OIDC token (id-token: write) and exchanges it for a short-lived
nuget.org API key via the NuGet/login action.

Requires a one-time Trusted Publishing policy on nuget.org and a
NUGET_USER repo secret (nuget.org profile name). See the comment block
at the top of the workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant