ci: upgrade devops-templates to v10.0 with NuGet trusted publishing (#74)

ncipollina · claude · web-flow · commit 1bae1b5e0957 · 2026-06-25T15:09:22.000-04:00
Split publish jobs into build (shared template) and push (composite
action) so OIDC job_workflow_ref matches the NuGet trusted publisher
policy. Version-bump-only for pr-build, pr-title-check, release-drafter.
Includes package updates from Directory.Packages.props.

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr-build.yaml b/.github/workflows/pr-build.yaml
@@ -7,7 +7,7 @@ on:
 permissions: write-all
 jobs:
   build:
-    uses: LayeredCraft/devops-templates/.github/workflows/pr-build.yaml@v8.1
+    uses: LayeredCraft/devops-templates/.github/workflows/pr-build.yaml@v10.0
     with:
       solution: LayeredCraft.Cdk.Constructs.slnx
       hasTests: true
diff --git a/.github/workflows/pr-title-check.yaml b/.github/workflows/pr-title-check.yaml
@@ -10,4 +10,4 @@ permissions:
 
 jobs:
   validate:
-    uses: LayeredCraft/devops-templates/.github/workflows/pr-title-check.yml@v8.1
+    uses: LayeredCraft/devops-templates/.github/workflows/pr-title-check.yml@v10.0
diff --git a/.github/workflows/publish-preview.yaml b/.github/workflows/publish-preview.yaml
@@ -12,14 +12,16 @@ on:
       - 'mkdocs.yml'
       - 'requirements.txt'
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   # To add support for additional .NET versions (e.g. net9, net11), add release branches
   # (e.g. release/net9) and wire up separate caller workflows targeting those branches.
 
-  publish:
-    uses: LayeredCraft/devops-templates/.github/workflows/publish-preview.yml@v8.1
+  build:
+    uses: LayeredCraft/devops-templates/.github/workflows/publish-preview.yml@v10.0
     with:
       solution: LayeredCraft.Cdk.Constructs.slnx
       dotnetVersion:  |
@@ -29,4 +31,15 @@ jobs:
         11.0.x
       prereleaseIdentifier: alpha
       hasTests: true
-    secrets: inherit
+    secrets: inherit
+
+  push:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: LayeredCraft/devops-templates/.github/actions/nuget-push@v10.0
+        with:
+          nuget_user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
@@ -4,14 +4,15 @@ on:
   release:
     types: [published]
 
-permissions: write-all
+permissions:
+  contents: write
 
 jobs:
   # To add support for additional .NET versions (e.g. net9, net11), add release branches
   # (e.g. release/net9) and wire up separate caller workflows targeting those branches.
 
-  publish:
-    uses: LayeredCraft/devops-templates/.github/workflows/publish-release.yml@v8.1
+  build:
+    uses: LayeredCraft/devops-templates/.github/workflows/publish-release.yml@v10.0
     with:
       solution: LayeredCraft.Cdk.Constructs.slnx
       dotnetVersion:  |
@@ -20,4 +21,15 @@ jobs:
         10.0.x
         11.0.x
       hasTests: true
-    secrets: inherit
+    secrets: inherit
+
+  push:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: LayeredCraft/devops-templates/.github/actions/nuget-push@v10.0
+        with:
+          nuget_user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   draft:
-    uses: LayeredCraft/devops-templates/.github/workflows/release-drafter.yml@v8.1
+    uses: LayeredCraft/devops-templates/.github/workflows/release-drafter.yml@v10.0
     with:
       event_name: ${{ github.event_name }}
       pr_draft: ${{ github.event.pull_request.draft == true }}
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -3,18 +3,18 @@
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
   </PropertyGroup>
   <ItemGroup Label="Build">
-    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.202" />
-    <PackageVersion Include="Microsoft.Testing.Extensions.CodeCoverage" Version="18.6.2" />
+    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.300" />
+    <PackageVersion Include="Microsoft.Testing.Extensions.CodeCoverage" Version="18.8.0" />
   </ItemGroup>
   <ItemGroup Label="AWS">
-    <PackageVersion Include="Amazon.CDK.Lib" Version="2.250.0" />
+    <PackageVersion Include="Amazon.CDK.Lib" Version="2.260.0" />
   </ItemGroup>
   <ItemGroup Label="Testing">
     <PackageVersion Include="AutoFixture" Version="4.18.1" />
     <PackageVersion Include="AutoFixture.AutoNSubstitute" Version="4.18.1" />
     <PackageVersion Include="AutoFixture.Xunit3" Version="4.19.0" />
     <PackageVersion Include="AwesomeAssertions" Version="9.4.0" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.4.0" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.7.0" />
     <PackageVersion Include="NSubstitute" Version="5.3.0" />
     <PackageVersion Include="xunit.v3.mtp-v2" Version="3.2.2" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
