Skip to content

Use NuGet Trusted Publishing#266

Merged
martincostello merged 2 commits intomainfrom
nuget-trusted-publishing
Sep 24, 2025
Merged

Use NuGet Trusted Publishing#266
martincostello merged 2 commits intomainfrom
nuget-trusted-publishing

Conversation

@martincostello
Copy link
Copy Markdown
Member

@martincostello martincostello commented Sep 11, 2025
edited
Loading

Changes

Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

Resolves #264.

TODO

  • Wait for Trusted Publishing to be available for our NuGet packages
  • Create Trusted Publishing policy in NuGet.org
  • Add nuget:user secret to Vault

Merge requirement checklist

  • Unit tests added/updated
  • CHANGELOG.md updated
  • Changes in public API reviewed (if applicable)

@martincostello
Use NuGet Trusted Publishing
f31b488 
Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

Resolves #264.
martincostello
martincostello commented Sep 18, 2025
View reviewed changes
Comment thread .github/workflows/ci.yml Outdated
@martincostello
Update action
7ee6603 
Update NuGet/login action to v1.1.0.
Copilot AI review requested due to automatic review settings September 18, 2025 09:27
Copilot AI reviewed Sep 18, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR switches the NuGet package publishing workflow from using API tokens to GitHub OIDC with Trusted Publishing, which provides better security by eliminating the need to store long-lived API keys.

  • Replaces vault secret retrieval from nuget:token to nuget:user
  • Introduces the NuGet/login action to authenticate using OIDC
  • Updates the environment variable source for the API key to use the output from the NuGet login action

@martincostello martincostello marked this pull request as ready for review September 23, 2025 08:24
@martincostello martincostello requested a review from a team as a code owner September 23, 2025 08:24
@martincostello martincostello enabled auto-merge (squash) September 23, 2025 08:25
@martincostello martincostello mentioned this pull request Sep 23, 2025
Open
@martincostello martincostello merged commit 32b8893 into main Sep 24, 2025
20 checks passed
@martincostello martincostello deleted the nuget-trusted-publishing branch September 24, 2025 13:28
This was referenced Jan 9, 2026
Merged
Merged
@dependabot dependabot Bot mentioned this pull request Feb 20, 2026
Open
@dependabot dependabot Bot mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@matt-hensley matt-hensley matt-hensley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Switch to NuGet trusted publishing

3 participants

@martincostello @matt-hensley