@@ -83,17 +83,33 @@ jobs:
8383 --generate-notes \
8484 --verify-tag
8585
86- name : NuGet login via Trusted Publishing (OIDC → temp API key)
87- if : ${{ inputs.push-to-nuget == true }}
88- id : nuget-login
89- uses : NuGet/login@v1
90- with :
91- user : juster.chu
92-
93- - name : Push NuGet package to NuGet.org
86+ name : Push NuGet package to NuGet.org (Trusted Publishing via OIDC)
9487 if : ${{ inputs.push-to-nuget == true }}
9588 run : |
89+ # Step 1: Get OIDC token from GitHub Actions runtime
90+ ID_TOKEN=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
91+ "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https://www.nuget.org" | jq -r '.value')
92+ echo "OIDC token obtained (length: ${#ID_TOKEN})"
93+
94+ # Step 2: Exchange OIDC token for a short-lived NuGet API key
95+ echo "Exchanging token at https://www.nuget.org/api/v2/token..."
96+ RESPONSE=$(curl -sSL -w "\n%{http_code}" -X POST "https://www.nuget.org/api/v2/token" \
97+ -H "Content-Type: application/json" \
98+ -d "{\"token\":\"$ID_TOKEN\",\"username\":\"juster.chu\"}")
99+ HTTP_CODE=$(echo "$RESPONSE" | tail -1)
100+ RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
101+ echo "HTTP Status: $HTTP_CODE"
102+ echo "Response: $RESPONSE_BODY"
103+
104+ if [ "$HTTP_CODE" != "200" ]; then
105+ echo "::error::Token exchange failed with HTTP $HTTP_CODE"
106+ exit 1
107+ fi
108+
109+ NUGET_API_KEY=$(echo "$RESPONSE_BODY" | jq -r '.apiKey')
110+
111+ # Step 3: Push the package
96112 dotnet nuget push artifacts/*.nupkg \
97113 --source https://api.nuget.org/v3/index.json \
98- --api-key "${{ steps.nuget-login.outputs. NUGET_API_KEY }} " \
114+ --api-key "$NUGET_API_KEY" \
99115 --skip-duplicate
0 commit comments