Skip to content

Use NuGet trusted publishing (OIDC) instead of API key#72

Merged
IvanMurzak merged 1 commit into
mainfrom
claude/setup-nuget-trusted-publishing-sLFun
Mar 12, 2026
Merged

Use NuGet trusted publishing (OIDC) instead of API key#72
IvanMurzak merged 1 commit into
mainfrom
claude/setup-nuget-trusted-publishing-sLFun

Conversation

@IvanMurzak
Copy link
Copy Markdown
Owner

@IvanMurzak IvanMurzak commented Mar 12, 2026

Summary

This PR updates the release workflow to use NuGet's trusted publishing feature with OpenID Connect (OIDC) authentication instead of relying on a static API key stored as a secret.

Key Changes

  • Added required permissions for OIDC token generation (id-token: write and contents: read)
  • Integrated NuGet login step using the official nuget/login@v1 action for OIDC-based authentication
  • Removed dependency on NUGET_API_KEY secret from the publish command
  • Simplified the NuGet push command by removing the --api-key parameter

Benefits

  • Enhanced Security: Eliminates the need to manage long-lived API keys as secrets
  • Improved Auditability: OIDC provides better tracking of who/what published packages
  • Reduced Attack Surface: Temporary credentials are generated per-workflow run instead of using static secrets
  • Industry Standard: Aligns with GitHub's recommended security practices for package publishing

https://claude.ai/code/session_01YJxiyTtL8zDVfF86XuGaZS

@claude
Setup NuGet trusted publishing via OIDC
089589b 
Replace long-lived NUGET_API_KEY secret with GitHub Actions OIDC-based
trusted publishing. This adds id-token:write permission to the deploy
job and uses nuget/login@v1 to obtain a short-lived API key automatically.

https://claude.ai/code/session_01YJxiyTtL8zDVfF86XuGaZS
@IvanMurzak IvanMurzak self-assigned this Mar 12, 2026
@IvanMurzak IvanMurzak added the enhancement New feature or request label Mar 12, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 12, 2026

Test Results

    2 files      2 suites   8m 31s ⏱️
1 355 tests 1 355 ✅ 0 💤 0 ❌
2 710 runs  2 710 ✅ 0 💤 0 ❌

Results for commit 089589b.

@IvanMurzak IvanMurzak merged commit 82ed426 into main Mar 12, 2026
2 checks passed
@IvanMurzak IvanMurzak deleted the claude/setup-nuget-trusted-publishing-sLFun branch March 12, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@IvanMurzak IvanMurzak

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IvanMurzak @claude