ci: upgrade devops-templates to v10.0 with NuGet trusted publishing#46
Conversation
Split publish jobs into build (shared template) and push (composite action) so the OIDC job_workflow_ref matches the NuGet trusted publisher policy. Tightens permissions from write-all to least privilege. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Only the version tag should have changed, not the permissions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ca6c0bfa23
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - main | ||
| permissions: write-all | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
On pull requests, this top-level contents: read is the only permission passed to the reusable job at LayeredCraft/devops-templates/.github/workflows/pr-build.yaml@v10.0. I checked that v10 template and it declares permissions: id-token: write and contents: write; GitHub's reusable workflow docs state caller token permissions can only be downgraded, not elevated, so the called workflow is not allowed to request those permissions and the PR build workflow will fail validation/execution instead of running CI. Please grant the required permissions on this calling job/workflow or use a template that does not request them.
Useful? React with 👍 / 👎.
2 participants
Summary
Upgrades all workflow references from
devops-templates@v8.0tov10.0and converts the publish flows to use NuGet Trusted Publishing (OIDC) via the newnuget-pushcomposite action introduced in v10.0.Changes
publish-preview.yamlandpublish-release.yamlpublishjob tobuild— now calls the shared template for version resolution, build, test, pack, and artifact upload onlypushjob that usesLayeredCraft/devops-templates/.github/actions/nuget-push@v10.0to handle OIDC login and NuGet pushpermissions: write-allwith least-privilege permissions per jobpr-build.yaml@v10.0permissions: write-allwithcontents: readpr-title-check.yamlandrelease-drafter.yaml@v10.0Validation
publish-previewflow validated end-to-end onLayeredCraft/compact-json-formatterwith the same template version and composite actionpushjob runs in the caller's workflow context, makingjob_workflow_refmatch the NuGet trusted publisher policyNotes for Reviewers
The key architectural reason for splitting build and push into separate jobs: GitHub's OIDC token includes a
job_workflow_refclaim set to the workflow file where the job physically runs. When NuGet/login ran inside the shared reusable workflow, the claim pointed todevops-templates— which NuGet.org's trusted publisher policy rejected. Running the push in a composite action (which executes inline in the caller's job) keeps the claim pointed at this repo's workflow file.NuGet.org trusted publisher policy for this repo will need to be configured to match
.github/workflows/publish-preview.yamland.github/workflows/publish-release.yamlbefore the push jobs will succeed.🤖 Generated with Claude Code