Commit 46c1fa7
authored
ci: migrate NuGet publish to trusted publishing (OIDC) (#440)
## Summary
Migrates the NuGet publish step in `Deploy.yml` from a long-lived
`NUGET_API_KEY` secret to OIDC-based trusted publishing via
`NuGet/login@v1`.
## Changes
- Added `permissions: id-token: write` to the `deploy` job (required for
OIDC token issuance)
- Added `NuGet/login@v1` step to exchange the OIDC token for a
short-lived NuGet API key
- Replaced `secrets.NUGET_API_KEY` with
`steps.login.outputs.NUGET_API_KEY` in the push step
## nuget.org Setup (already done)
A trusted publishing policy has been created on nuget.org for
`IntelliTect.Analyzers`:
- **Owner**: IntelliTect
- **Repository**: CodingGuidelines
- **Workflow**: `Deploy.yml`
- **Environment**: `Production`
## Required Action Before Merging
Add a `NUGET_USER` secret to the **Production** GitHub environment:
- **Name**: `NUGET_USER`
- **Value**: the nuget.org profile name (not email) of the
`IntelliTect-Nuget` account
## After First Successful Publish
Once a release triggers a successful publish via OIDC, the old
`NUGET_API_KEY` secret can be removed from the repository secrets.1 parent 445980c commit 46c1fa7
1 file changed
Lines changed: 11 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
53 | 57 | | |
54 | 58 | | |
55 | 59 | | |
56 | 60 | | |
57 | 61 | | |
58 | 62 | | |
59 | 63 | | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
60 | 70 | | |
61 | 71 | | |
62 | 72 | | |
63 | 73 | | |
64 | | - | |
| 74 | + | |
65 | 75 | | |
0 commit comments