ci: upgrade devops-templates to v10.0 with NuGet trusted publishing (#46)

ncipollina · claude · web-flow · commit c269a4ba8f4b · 2026-06-25T10:58:19.000-04:00
* ci: upgrade devops-templates to v10.0 with NuGet trusted publishing

Split publish jobs into build (shared template) and push (composite
action) so the OIDC job_workflow_ref matches the NuGet trusted publisher
policy. Tightens permissions from write-all to least privilege.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* fix(ci): restore pr-build.yaml permissions to write-all

Only the version tag should have changed, not the permissions.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr-build.yaml b/.github/workflows/pr-build.yaml
@@ -7,7 +7,7 @@ on:
 permissions: write-all
 jobs:
   build:
-    uses: LayeredCraft/devops-templates/.github/workflows/pr-build.yaml@v8.0
+    uses: LayeredCraft/devops-templates/.github/workflows/pr-build.yaml@v10.0
     with:
       solution: LayeredCraft.StructuredLogging.slnx
       hasTests: true
diff --git a/.github/workflows/pr-title-check.yaml b/.github/workflows/pr-title-check.yaml
@@ -10,4 +10,4 @@ permissions:
 
 jobs:
   validate:
-    uses: LayeredCraft/devops-templates/.github/workflows/pr-title-check.yml@v8.0
+    uses: LayeredCraft/devops-templates/.github/workflows/pr-title-check.yml@v10.0
diff --git a/.github/workflows/publish-preview.yaml b/.github/workflows/publish-preview.yaml
@@ -6,11 +6,13 @@ on:
     branches:
       - main
 
-permissions: write-all
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
-  publish:
-    uses: LayeredCraft/devops-templates/.github/workflows/publish-preview.yml@v8.0
+  build:
+    uses: LayeredCraft/devops-templates/.github/workflows/publish-preview.yml@v10.0
     with:
       solution: LayeredCraft.StructuredLogging.slnx
       dotnetVersion: |
@@ -19,4 +21,15 @@ jobs:
         10.0.x
         11.0.x
       hasTests: true
-    secrets: inherit
+    secrets: inherit
+
+  push:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: LayeredCraft/devops-templates/.github/actions/nuget-push@v10.0
+        with:
+          nuget_user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
@@ -4,11 +4,12 @@ on:
   release:
     types: [published]
 
-permissions: write-all
+permissions:
+  contents: write
 
 jobs:
-  publish:
-    uses: LayeredCraft/devops-templates/.github/workflows/publish-release.yml@v8.0
+  build:
+    uses: LayeredCraft/devops-templates/.github/workflows/publish-release.yml@v10.0
     with:
       solution: LayeredCraft.StructuredLogging.slnx
       dotnetVersion: |
@@ -17,4 +18,15 @@ jobs:
         10.0.x
         11.0.x
       hasTests: true
-    secrets: inherit
+    secrets: inherit
+
+  push:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: LayeredCraft/devops-templates/.github/actions/nuget-push@v10.0
+        with:
+          nuget_user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   draft:
-    uses: LayeredCraft/devops-templates/.github/workflows/release-drafter.yml@v8.0
+    uses: LayeredCraft/devops-templates/.github/workflows/release-drafter.yml@v10.0
     with:
       event_name: ${{ github.event_name }}
       pr_draft: ${{ github.event.pull_request.draft == true }}
