Skip to content

Use trusted publishing for dotnet-main NuGet publish#1452

Merged
aaronpowell merged 1 commit into
mainfrom
aaronpowell-nuget-trusted-publishing
Jul 3, 2026
Merged

Use trusted publishing for dotnet-main NuGet publish#1452
aaronpowell merged 1 commit into
mainfrom
aaronpowell-nuget-trusted-publishing

Conversation

@aaronpowell

Copy link
Copy Markdown
Member

Closes: N/A

This updates the beta NuGet publish path in dotnet-main.yml to use NuGet trusted publishing instead of the long-lived API key flow. The goal is to align the workflow with nuget.org's OIDC-based authentication model and avoid the authorization failures we are seeing in CI.

The publish job now requests id-token: write, logs in with NuGet/login@v1, and uses the short-lived NUGET_API_KEY output from that step when pushing packages. I also added --skip-duplicate so re-runs do not fail if the same beta package version was already published.

The stable release workflow is unchanged in this PR. Reviewers should note that this workflow now depends on the nuget-beta environment having a NUGET_USER secret and on a matching trusted publishing policy on nuget.org for dotnet-main.yml.

PR Checklist

  • Created a feature/dev branch in your fork (vs. submitting directly from a commit on main)
  • Based off latest main branch of toolkit
  • PR doesn't include merge commits (always rebase on top of our main, if needed)
  • New integration
    • Docs are written
    • Added description of major feature to project description for NuGet package (4000 total character limit, so don't push entire description over that)
  • Tests for the changes have been added (for bug fixes / features) (if applicable)
  • Contains NO breaking changes
  • Every new API (including internal ones) has full XML docs
  • Code follows all style conventions

Other information

This change is limited to dotnet-main.yml so we can trial trusted publishing on the beta feed before making the same change elsewhere.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 04:35
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.sh | bash -s -- 1452

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.ps1) } 1452"

@aaronpowell aaronpowell merged commit 68cd795 into main Jul 3, 2026
146 of 148 checks passed
@aaronpowell aaronpowell deleted the aaronpowell-nuget-trusted-publishing branch July 3, 2026 04:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the dotnet-main NuGet beta publishing workflow to use NuGet.org trusted publishing via GitHub OIDC (instead of a long-lived API key), aiming to reduce CI auth failures and make re-runs idempotent.

Changes:

  • Adds job-level OIDC permissions and a NuGet/login@v1 step to obtain a short-lived NuGet API key.
  • Switches dotnet nuget push to use the OIDC-derived key and adds --skip-duplicate.
Show a summary per file
File Description
.github/workflows/dotnet-main.yml Moves beta NuGet publishing to OIDC-based authentication and makes package push tolerant of duplicates.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +109 to +111
permissions:
id-token: write
contents: read

- name: Publish to NuGet
run: dotnet nuget push ./*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }}
run: dotnet nuget push ./*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --skip-duplicate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants