CHORE: Use OIDC (Trusted Publishing) instead of PAT for Nuget.

mkholt · mkholt · commit b47c46025f73 · 2025-12-03T09:41:55.000+01:00
https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ on:
 jobs:
   build:
     runs-on: windows-latest
+    permissions:
+      contents: write      # For release asset upload
+      id-token: write      # Required for OIDC token (NuGet Trusted Publishing)
     steps:
     - name: 🚚 Checkout code
       uses: actions/checkout@v4
@@ -61,6 +64,13 @@ jobs:
           ./nupkg/*.nupkg
           ./nupkg/*.snupkg
 
+    - name: 🔑 Login to NuGet (OIDC)
+      id: nuget-login
+      uses: nuget/login@v1
+      if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run != 'true')
+      with:
+        nuget-api-url: https://api.nuget.org/v3/index.json
+
     - name: 🚀 Publish to NuGet
       shell: pwsh
       run: |
@@ -88,6 +98,6 @@ jobs:
             Write-Host "Publishing to NuGet..."
             foreach ($file in $nupkgFiles) {
                 Write-Host "Publishing: $($file.FullName)"
-                dotnet nuget push "$($file.FullName)" --api-key ${{ secrets.NUGET_API_KEY }} --source "https://api.nuget.org/v3/index.json" --skip-duplicate
+                dotnet nuget push "$($file.FullName)" --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source "https://api.nuget.org/v3/index.json" --skip-duplicate
             }
         }
