Skip to content

Commit 50b2de2

Browse files
ncipollinaclaude
andcommitted
fix(ci): run NuGet OIDC login in caller; pass key to shared template
job_workflow_ref claim in OIDC token must match compact-json-formatter workflow path for NuGet trusted publisher policy to accept it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 52141e2 commit 50b2de2

1 file changed

Lines changed: 16 additions & 2 deletions

File tree

.github/workflows/publish-preview.yaml

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,24 @@ on:
1212
permissions:
1313
contents: write
1414
pull-requests: write
15-
id-token: write
1615

1716
jobs:
17+
get-nuget-token:
18+
runs-on: ubuntu-latest
19+
permissions:
20+
id-token: write
21+
contents: read
22+
outputs:
23+
nuget_api_key: ${{ steps.login.outputs.NUGET_API_KEY }}
24+
steps:
25+
- name: NuGet Login (OIDC)
26+
uses: NuGet/login@v1
27+
id: login
28+
with:
29+
user: ${{ secrets.NUGET_USER }}
30+
1831
publish:
32+
needs: get-nuget-token
1933
uses: LayeredCraft/devops-templates/.github/workflows/publish-preview.yml@ci/github-nuget-oidc-login
2034
with:
2135
solution: LayeredCraft.Logging.CompactJsonFormatter.slnx
@@ -25,4 +39,4 @@ jobs:
2539
10.0.x
2640
11.0.x
2741
hasTests: true
28-
secrets: inherit
42+
nuget_api_key: ${{ needs.get-nuget-token.outputs.nuget_api_key }}

0 commit comments

Comments
 (0)