Workflow fix

Author: alexis-

.github/workflows/publish.yml

@@ -117,12 +117,14 @@ jobs:
           user: ${{ secrets.NUGET_USER }}
 
       - name: Push packages to NuGet.org
-        # Push all packages and symbol packages to NuGet.org
-        # --skip-duplicate ensures idempotency - already published versions are skipped
-        # The API key is obtained from the login step's output (valid for ~1 hour)
+        # Push primary packages only. The NuGet client discovers and publishes the
+        # matching .snupkg from the current package directory. Do not push .snupkg
+        # files explicitly: with --skip-duplicate, rebuilt symbols can be uploaded
+        # for an already-published .nupkg and fail NuGet symbol validation.
         if: ${{ github.event.inputs.dry_run != 'true' }}
         run: |
-          for package in ./artifacts/*.nupkg ./artifacts/*.snupkg; do
+          cd ./artifacts
+          for package in *.nupkg; do
             echo "Pushing: $package"
             dotnet nuget push "$package" \
               --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" \

src/VastAI.NET/VastAI.NET.csproj

@@ -5,7 +5,7 @@
 
     <!-- NuGet Package Properties (common properties inherited from Directory.Build.props) -->
     <PackageId>VastAI.NET</PackageId>
-    <Version>1.0.0</Version>
+    <Version>1.0.1</Version>
     <Description>Typed .NET client for Vast.ai REST provider operations.</Description>
     <PackageTags>alos;vastai;vast;cloud-gpu;rest-client</PackageTags>
   </PropertyGroup>

tests/VastAI.NET.Tests/VastApiClientTests.cs

@@ -2,6 +2,7 @@ namespace VastAI.NET.Tests;
 
 using System.Net;
 using System.Text.Json;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Models;
@@ -238,6 +239,26 @@ public void Create_WithMissingRuntimeApiKey_ThrowsConfigurationException()
     Assert.Contains("Vast API key is required", exception.Message);
   }
 
+  /// <summary>Failed Vast responses must not copy the configured bearer token into exceptions or logs.</summary>
+  [Fact]
+  public async Task GetInstancesAsync_WhenRequestFails_DoesNotLeakApiKeyInExceptionOrLogs()
+  {
+    const string apiKey = "live-secret-value-that-must-not-appear";
+    var handler = new SequenceHandler(
+      new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent("""{"error":"unauthorized"}""") });
+    var logger = new CapturingLogger<VastApiClient>();
+    var client = new VastApiClient(
+      new HttpClient(handler),
+      Options.Create(new VastAIOptions { ApiKey = apiKey, ApiBaseUri = new Uri("https://console.vast.ai/") }),
+      logger);
+
+    var exception = await Assert.ThrowsAsync<Exceptions.VastAIOperationException>(() => client.GetInstancesAsync(
+                                                                                    TestContext.Current.CancellationToken));
+
+    Assert.DoesNotContain(apiKey, exception.ToString(), StringComparison.Ordinal);
+    Assert.DoesNotContain(apiKey, string.Join(Environment.NewLine, logger.Messages), StringComparison.Ordinal);
+  }
+
   /// <summary>Creates a client with a fake handler and deterministic options.</summary>
   private static VastApiClient CreateClient(HttpMessageHandler handler)
   {
@@ -284,4 +305,36 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
         : _responses.Dequeue());
     }
   }
+
+  /// <summary>Captures rendered log messages without writing them to test output.</summary>
+  private sealed class CapturingLogger<T> : ILogger<T>
+  {
+    public List<string> Messages { get; } = [];
+
+    public IDisposable? BeginScope<TState>(TState state) where TState : notnull => NullScope.Instance;
+
+    public bool IsEnabled(LogLevel logLevel) => true;
+
+    public void Log<TState>(
+      LogLevel                        logLevel,
+      EventId                         eventId,
+      TState                          state,
+      Exception?                      exception,
+      Func<TState, Exception?, string> formatter)
+    {
+      Messages.Add(formatter(state, exception));
+      if (exception is not null)
+        Messages.Add(exception.ToString());
+    }
+  }
+
+  /// <summary>Reusable no-op logging scope.</summary>
+  private sealed class NullScope : IDisposable
+  {
+    public static readonly NullScope Instance = new();
+
+    public void Dispose()
+    {
+    }
+  }
 }