@@ -423,7 +423,11 @@ jobs:
423423 group : release-tag-${{ needs.resolve-version.outputs.tag }}
424424 cancel-in-progress : false
425425 env :
426- HAS_NUGET_KEY : ${{ secrets.NUGET_API_KEY != '' }}
426+ # Set repository variable NUGET_PUBLISH_METHOD to 'api-key' or 'oidc'.
427+ # - api-key: requires NUGET_API_KEY secret
428+ # - oidc: requires a Trusted Publishing policy at nuget.org
429+ # - unset: NuGet push is skipped
430+ NUGET_PUBLISH_METHOD : ${{ vars.NUGET_PUBLISH_METHOD }}
427431
428432 steps :
429433 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -455,43 +459,70 @@ jobs:
455459 shell : bash
456460 run : ./build.sh ValidateReleaseManifest
457461
458- # NuGet Publishing: prefers Trusted Publishing (OIDC, no secrets) over API key.
459- # To use Trusted Publishing: configure a policy at nuget.org → Manage Packages → Trusted Publishers.
460- # Falls back to NUGET_API_KEY secret. If neither is configured, push is skipped.
461- - name : NuGet login (Trusted Publishing)
462- if : env.HAS_NUGET_KEY != 'true'
462+ - name : Validate NuGet publish configuration
463+ if : env.NUGET_PUBLISH_METHOD != '' && env.NUGET_PUBLISH_METHOD != 'api-key' && env.NUGET_PUBLISH_METHOD != 'oidc'
464+ shell : bash
465+ run : |
466+ echo "::error::Invalid NUGET_PUBLISH_METHOD '$NUGET_PUBLISH_METHOD'. Must be 'api-key', 'oidc', or unset."
467+ exit 1
468+
469+ name : NuGet login (Trusted Publishing / OIDC)
470+ if : env.NUGET_PUBLISH_METHOD == 'oidc'
463471 id : nuget-login
464472 uses : NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
465473 with :
466474 user : ${{ vars.NUGET_USER || github.repository_owner }}
467- continue-on-error : true
468475
469- - name : Push to NuGet.org
470- if : env.HAS_NUGET_KEY == 'true' || steps.nuget-login.outcome == 'success '
476+ - name : Push to NuGet.org (OIDC)
477+ if : env.NUGET_PUBLISH_METHOD == 'oidc '
471478 shell : bash
472479 env :
473- API_KEY : ${{ env.HAS_NUGET_KEY == 'true' && secrets.NUGET_API_KEY || steps.nuget-login.outputs.NUGET_API_KEY }}
480+ API_KEY : ${{ steps.nuget-login.outputs.NUGET_API_KEY }}
474481 run : |
475482 shopt -s nullglob
476483 PACKAGES=(artifacts/packages/*.nupkg)
477484 if [ ${#PACKAGES[@]} -eq 0 ]; then
478485 echo "::error::No .nupkg files found"
479486 exit 1
480487 fi
488+ for pkg in "${PACKAGES[@]}"; do
489+ echo "Pushing $pkg"
490+ dotnet nuget push "$pkg" \
491+ --api-key "$API_KEY" \
492+ --source https://api.nuget.org/v3/index.json \
493+ --skip-duplicate
494+ done
495+ echo "All packages pushed to NuGet.org via Trusted Publishing"
481496
497+ name : Push to NuGet.org (API key)
498+ if : env.NUGET_PUBLISH_METHOD == 'api-key'
499+ shell : bash
500+ env :
501+ API_KEY : ${{ secrets.NUGET_API_KEY }}
502+ run : |
503+ if [ -z "$API_KEY" ]; then
504+ echo "::error::NUGET_PUBLISH_METHOD is 'api-key' but NUGET_API_KEY secret is not set."
505+ exit 1
506+ fi
507+ shopt -s nullglob
508+ PACKAGES=(artifacts/packages/*.nupkg)
509+ if [ ${#PACKAGES[@]} -eq 0 ]; then
510+ echo "::error::No .nupkg files found"
511+ exit 1
512+ fi
482513 for pkg in "${PACKAGES[@]}"; do
483514 echo "Pushing $pkg"
484515 dotnet nuget push "$pkg" \
485516 --api-key "$API_KEY" \
486517 --source https://api.nuget.org/v3/index.json \
487518 --skip-duplicate
488519 done
489- echo "All packages pushed to NuGet.org"
520+ echo "All packages pushed to NuGet.org via API key "
490521
491522name : NuGet push skipped
492- if : env.HAS_NUGET_KEY != 'true' && steps.nuget-login.outcome ! = 'success '
523+ if : env.NUGET_PUBLISH_METHOD = = ''
493524 shell : bash
494- run : echo "::warning::No NUGET_API_KEY secret and Trusted Publishing not configured . Skipping NuGet push."
525+ run : echo "::notice::NUGET_PUBLISH_METHOD is not set . Skipping NuGet push. Set it to 'api-key' or 'oidc' in repository variables ."
495526
496527 - name : Generate SBOM
497528 uses : anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
0 commit comments