Skip to content

Use trusted publishing for NuGet release#3261

Open
jfversluis wants to merge 2 commits into
mainfrom
jfversluis-nuget-trusted-publishing
Open

Use trusted publishing for NuGet release#3261
jfversluis wants to merge 2 commits into
mainfrom
jfversluis-nuget-trusted-publishing

Conversation

@jfversluis

@jfversluis jfversluis commented Jul 3, 2026

Copy link
Copy Markdown
Member

Description of Change

This moves the NuGet.org release job (release-nuget in .github/workflows/dotnet-build.yml) to NuGet trusted publishing, matching the approach from CommunityToolkit/Aspire#1452:

  • grants the job id-token: write and contents: read
  • logs in with NuGet/login@v1
  • pushes packages with ${{ steps.login.outputs.NUGET_API_KEY }} instead of the long-lived ${{ secrets.NUGET_PACKAGE_PUSH_TOKEN }}

This repo was not already using trusted publishing for the NuGet.org publish path; the signing job requested an OIDC token, but the release-nuget job still pushed with the long-lived NuGet API key.

Reviewers should note that this workflow change also requires external configuration before the first trusted-publishing release can succeed:

  • Add a NUGET_USER secret to the nuget-release-gate GitHub environment. The value should be the nuget.org profile/owner used for the trusted publishing policy, not an email address.
  • Create a matching nuget.org trusted publishing policy for the package owner. The current pushed packages are owned by both Microsoft.Toolkit and dotnetfoundation, so the policy and NUGET_USER secret should use whichever of those nuget.org owners is intended to publish these packages.
  • Configure the policy with repository owner CommunityToolkit, repository Maui, workflow file dotnet-build.yml, and environment nuget-release-gate.

Linked Issues

  • N/A

PR Checklist

  • Has a linked Issue, and the Issue has been approved(bug) or Championed (feature/proposal) - N/A, workflow infrastructure change
  • Has tests (if omitted, state reason in description) - N/A, workflow-only change
  • Has samples (if omitted, state reason in description) - N/A, workflow-only change
  • Rebased on top of main at time of PR
  • Changes adhere to coding standard
  • Documentation created or updated: https://github.com/MicrosoftDocs/CommunityToolkit/pulls - N/A, workflow-only change

Additional information

No product code changes; this only updates the NuGet.org release publishing workflow.

Switch the NuGet.org release workflow from the long-lived package push token to NuGet trusted publishing via OIDC login.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 07:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the NuGet.org release workflow to use NuGet trusted publishing (OIDC) instead of a long-lived NuGet API key, aligning the repo’s publish path with modern, short-lived credential practices.

Changes:

  • Grants release-nuget job OIDC-capable permissions and adds a NuGet OIDC login step (NuGet/login@v1).
  • Switches dotnet nuget push to use the short-lived API key output from the login step instead of secrets.NUGET_PACKAGE_PUSH_TOKEN.
Show a summary per file
File Description
.github/workflows/dotnet-build.yml Moves NuGet.org publishing to trusted publishing via OIDC login and short-lived API key output.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +385 to +387
permissions:
id-token: write
contents: read
Keep the trusted publishing action pinned by commit SHA like the other workflow actions in this repo.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants