fix: use official NuGet/login@v1 for Trusted Publishing

JusterZhu · claude · JusterZhu · commit b50736b5d64c · 2026-06-13T17:16:50.000+08:00
The manual OIDC token fetch didn't work because NuGet.org requires
a two-step exchange: GitHub OIDC token → NuGet.org temp API key → push.
Using NuGet/login@v1 handles this correctly.

Also removes jq dependency (no longer needed).

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish-nuget.yml b/.github/workflows/publish-nuget.yml
@@ -83,14 +83,17 @@ jobs:
             --generate-notes \
             --verify-tag
 
-      - name: Push NuGet package to NuGet.org (Trusted Publishing via OIDC)
+      - name: NuGet login via Trusted Publishing (OIDC → temp API key)
+        if: ${{ inputs.push-to-nuget == true }}
+        id: nuget-login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
+      - name: Push NuGet package to NuGet.org
         if: ${{ inputs.push-to-nuget == true }}
         run: |
-          # Strip default audience from the request URL and set 'nuget' as the sole audience
-          BASE_URL="${ACTIONS_ID_TOKEN_REQUEST_URL%%\?*}"
-          ID_TOKEN=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "${BASE_URL}?audience=nuget" | jq -r '.value')
           dotnet nuget push artifacts/*.nupkg \
             --source https://api.nuget.org/v3/index.json \
-            --api-key "$ID_TOKEN" \
+            --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" \
             --skip-duplicate
