Use trusted publishing for dotnet-main NuGet publish#1452
Merged
Conversation
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.sh | bash -s -- 1452Or
iex "& { $(irm https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.ps1) } 1452" |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the dotnet-main NuGet beta publishing workflow to use NuGet.org trusted publishing via GitHub OIDC (instead of a long-lived API key), aiming to reduce CI auth failures and make re-runs idempotent.
Changes:
- Adds job-level OIDC permissions and a
NuGet/login@v1step to obtain a short-lived NuGet API key. - Switches
dotnet nuget pushto use the OIDC-derived key and adds--skip-duplicate.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/dotnet-main.yml | Moves beta NuGet publishing to OIDC-based authentication and makes package push tolerant of duplicates. |
Review details
- Files reviewed: 1/1 changed files
- Comments generated: 2
- Review effort level: Low
Comment on lines
+109
to
+111
| permissions: | ||
| id-token: write | ||
| contents: read |
|
|
||
| - name: Publish to NuGet | ||
| run: dotnet nuget push ./*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }} | ||
| run: dotnet nuget push ./*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --skip-duplicate |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes: N/A
This updates the beta NuGet publish path in
dotnet-main.ymlto use NuGet trusted publishing instead of the long-lived API key flow. The goal is to align the workflow with nuget.org's OIDC-based authentication model and avoid the authorization failures we are seeing in CI.The publish job now requests
id-token: write, logs in withNuGet/login@v1, and uses the short-livedNUGET_API_KEYoutput from that step when pushing packages. I also added--skip-duplicateso re-runs do not fail if the same beta package version was already published.The stable release workflow is unchanged in this PR. Reviewers should note that this workflow now depends on the
nuget-betaenvironment having aNUGET_USERsecret and on a matching trusted publishing policy on nuget.org fordotnet-main.yml.PR Checklist
Other information
This change is limited to
dotnet-main.ymlso we can trial trusted publishing on the beta feed before making the same change elsewhere.