You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Migrate .github/workflows/release.yaml off secrets.NUGET_API_KEY and onto NuGet Trusted Publishing (OIDC). Removes the long-lived API key from the repo — every release exchanges the workflow's GitHub OIDC token for an ephemeral (~1-hour) push key via NuGet/login@v1.
Why
Two motivations:
Security posture — no long-lived key on GitHub or NuGet to leak, phish, or forget to rotate. If a workflow secret DOES leak, the blast radius is one workflow run.
Fleet standardization — the SECURITY.md "Release path & compromise scope" appendix (tracked in [Maintenance] docs(security): add Release path & compromise scope appendix to SECURITY.md #140) reads identically across every repo when they are all on OIDC. Currently 9 repos are on OIDC and this one is not — the appendix in this repo would have to say NUGET_API_KEY while the fleet says OIDC.
What to do
1. Configure Trusted Publishing on nuget.org (one-time, manual, before merging the workflow change):
For each package this repo publishes (some repos ship multiple), on nuget.org:
#140 — that appendix will land in this repo's SECURITY.md once this migration is done. The appendix's "Release path" bullet needs to name OIDC for the fleet to be consistent.
Scope
Migrate
.github/workflows/release.yamloffsecrets.NUGET_API_KEYand onto NuGet Trusted Publishing (OIDC). Removes the long-lived API key from the repo — every release exchanges the workflow's GitHub OIDC token for an ephemeral (~1-hour) push key viaNuGet/login@v1.Why
Two motivations:
NUGET_API_KEYwhile the fleet saysOIDC.What to do
1. Configure Trusted Publishing on nuget.org (one-time, manual, before merging the workflow change):
For each package this repo publishes (some repos ship multiple), on nuget.org:
Chris-Wolfgang<this repo name>.github/workflows/release.yaml2. Update
release.yaml:Replace the
publish-nugetjob with the canonical OIDC version. Reference implementations:release.yamlonmain— canonical shapeKey elements:
permissions: { id-token: write, contents: read }(addid-token: write)NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1(SHA-pinned) as a step,id: nuget-login--api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }}— this is the STEP OUTPUT (ephemeral), NOTsecrets.NUGET_API_KEYNUGET_API_KEYenv-var wiring from the publish job — no repo secret is referencedThis is a change to
.github/workflows/release.yaml, which is a protected file. Merge via admin-bypass perprotected-file-pr-split.3. After first successful OIDC release:
NUGET_API_KEYsecret from repo Settings → Secrets and variables → Actions (removes the last long-lived key).Blocks
#140 — that appendix will land in this repo's SECURITY.md once this migration is done. The appendix's "Release path" bullet needs to name OIDC for the fleet to be consistent.
Fleet context
Snapshot as of 2026-07-14: