Skip to content

Use trusted publishing for dotnet-release publish job#1453

Merged
aaronpowell merged 1 commit into
mainfrom
aaronpowell-trusted-publishing-release
Jul 3, 2026
Merged

Use trusted publishing for dotnet-release publish job#1453
aaronpowell merged 1 commit into
mainfrom
aaronpowell-trusted-publishing-release

Conversation

@aaronpowell

Copy link
Copy Markdown
Member

Closes #N/A

Update dotnet-release.yml so publish-nuget uses the same trusted publishing flow already in dotnet-main.yml: add OIDC job permissions, log in with NuGet/login@v1, switch to the short-lived API key output, and skip duplicate pushes.

PR Checklist

  • Created a feature/dev branch in your fork (vs. submitting directly from a commit on main)
  • Based off latest main branch of toolkit
  • PR doesn't include merge commits (always rebase on top of our main, if needed)
  • New integration
    • Docs are written
    • Added description of major feature to project description for NuGet package (4000 total character limit, so don't push entire description over that)
  • Tests for the changes have been added (for bug fixes / features) (if applicable)
  • Contains NO breaking changes
  • Every new API (including internal ones) has full XML docs
  • Code follows all style conventions

Other information

Local validation included YAML parsing and diff checks. Before the first stable publish with trusted publishing, run dotnet pack -c Release -o ./artifacts to confirm the packages are produced as expected.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 05:07
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.sh | bash -s -- 1453

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/CommunityToolkit/Aspire/main/eng/scripts/dogfood-pr.ps1) } 1453"

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release workflow to publish NuGet packages using NuGet.org trusted publishing (OIDC) instead of a long-lived API key, aligning the dotnet-release.yml publishing flow with the already-adopted approach in dotnet-main.yml.

Changes:

  • Add job-level OIDC permissions to publish-nuget (id-token: write) for trusted publishing.
  • Authenticate to NuGet.org via NuGet/login@v1 and use its short-lived NUGET_API_KEY output for dotnet nuget push.
  • Add --skip-duplicate to avoid failing the job on already-published packages.
Show a summary per file
File Description
.github/workflows/dotnet-release.yml Switch publish-nuget to NuGet trusted publishing (OIDC) and skip duplicate pushes.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

@aaronpowell aaronpowell added the skip-nuget-publish Skips publishing to NuGet when merging to the `main` branch. label Jul 3, 2026
@aaronpowell aaronpowell merged commit 2bbca05 into main Jul 3, 2026
150 of 152 checks passed
@aaronpowell aaronpowell deleted the aaronpowell-trusted-publishing-release branch July 3, 2026 05:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-nuget-publish Skips publishing to NuGet when merging to the `main` branch.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants