Skip to content

Switch publish workflow to NuGet trusted publishing (OIDC)#91

Merged
jaredpar merged 1 commit into
mainfrom
jaredpar/nuget-trusted-publishing
Jun 18, 2026
Merged

Switch publish workflow to NuGet trusted publishing (OIDC)#91
jaredpar merged 1 commit into
mainfrom
jaredpar/nuget-trusted-publishing

Conversation

@jaredpar

@jaredpar jaredpar commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Replaces the long-lived NUGET_API_KEY secret with OIDC-based trusted publishing via NuGet/login@v1. This eliminates the need to rotate or manage API keys -- the workflow exchanges a short-lived GitHub OIDC token for a scoped NuGet credential at publish time.

Changes:

  • Added id-token: write permission (required for OIDC token exchange)
  • Added contents: write permission (explicit, since setting permissions overrides defaults and the release step needs it)
  • Added NuGet/login@v1 step before push
  • Removed -k ${{ secrets.NUGET_API_KEY }} from the push command
  • Added --skip-duplicate to avoid failures on re-runs

After merging: once the first publish succeeds, the NUGET_API_KEY repo secret can be safely deleted.

@jaredpar
Switch publish workflow to NuGet trusted publishing (OIDC)
77821a1 
Replace secrets.NUGET_API_KEY with NuGet/login@v1 OIDC-based authentication.
- Add id-token: write permission for OIDC token exchange
- Add NuGet/login@v1 step before push
- Remove API key from push command
- Add --skip-duplicate to push

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jaredpar jaredpar merged commit 21f5f5e into main Jun 18, 2026
1 check passed
@jaredpar jaredpar mentioned this pull request Jun 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaredpar