chore(CD): switch from secret API key to Trusted Publishing on nuget.org; drop pre-release pipeline (#142)

hf-kklein · Konstantin · web-flow · commit 85169173b641 · 2025-12-01T09:02:46.000+01:00
* chore(CD): switch from secret API key to Trusted Publishing on nuget.org

+ run CI on .net10 mostly

* Update README to remove pre-release information

Removed pre-release NuGet badge and release workflow instructions.

---------

Co-authored-by: Konstantin &lt;konstantin.klein+github@hochfrequenz.de&gt;
diff --git a/.github/workflows/formatter.yml b/.github/workflows/formatter.yml
@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - name: Setup .NET 9
+      - name: Setup .NET
         uses: actions/setup-dotnet@v5
         with:
-          dotnet-version: 9
+          dotnet-version: 10
       - name: Restore .NET tools
         working-directory: ./ChronoJsonDiffPatch
         run: dotnet tool restore
diff --git a/.github/workflows/nuget_package_push.yml b/.github/workflows/nuget_package_push.yml
@@ -7,15 +7,19 @@ on:
 
 jobs:
   pushrelease:
-    runs-on: windows-latest
+    runs-on: ubuntu-latest
     env:
       ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
+    permissions:
+      id-token: write # enable GitHub OIDC token issuance for this job
+    environment: "release" # has to match the policy name in the nuget.org Trusted Publishing setup.
+    # if the environment name is not set here, you'll run into an error message like "Error: Token exchange failed (401): Environment mismatch for policy 'release': expected 'release', actual ''"
     steps:
       - uses: actions/checkout@v6
       - name: Setup .NET Core
         uses: actions/setup-dotnet@v5
         with:
-          dotnet-version: 8.0.100
+          dotnet-version: 10
       - uses: olegtarasov/get-tag@v2.1
         id: tagChrono
         with:
@@ -29,12 +33,13 @@ jobs:
       - name: Create Package ChronoJsonDiffPatch (dotnet pack)
         working-directory: "ChronoJsonDiffPatch/ChronoJsonDiffPatch"
         run: dotnet pack ChronoJsonDiffPatch.csproj --configuration Release -p:PackageVersion="${{ steps.tagChrono.outputs.tag }}"
-      - name: Setup Nuget.exe
-        uses: warrenbuckley/Setup-Nuget@v1
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: hf-kklein
+        # because the package is owned by hf-kklein: https://www.nuget.org/packages/ChronoJsonDiffPatch/
       - name: Nuget push ChronoJsonDiffPatch
         working-directory: "ChronoJsonDiffPatch/ChronoJsonDiffPatch"
-        # token: https://github.com/Hochfrequenz/chrono_json_diff_patch/settings/secrets/actions/NUGET_ORG_PUSH_TOKEN
-        # expires 2026-09-21
         run: |
-          nuget setApiKey ${{ secrets.NUGET_ORG_PUSH_TOKEN }}
-          nuget push .\bin\Release\*.nupkg -Source https://api.nuget.org/v3/index.json -SkipDuplicate -NoSymbols
+          dotnet nuget push ./bin/Release/*.nupkg --source https://api.nuget.org/v3/index.json  --api-key ${{steps.login.outputs.NUGET_API_KEY}} --skip-duplicate
diff --git a/.github/workflows/nuget_package_push_prerelease.yml b/.github/workflows/nuget_package_push_prerelease.yml
diff --git a/.github/workflows/unittests_and_coverage.yml b/.github/workflows/unittests_and_coverage.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        dotnet-version: [ "9" ]
+        dotnet-version: [ "9", "10" ]
     steps:
       - uses: actions/checkout@v6
       - name: Setup .NET Core
@@ -25,7 +25,7 @@ jobs:
       - name: Setup .NET Core
         uses: actions/setup-dotnet@v5
         with:
-          dotnet-version: 9
+          dotnet-version: 10
       - name: Install dependencies
         working-directory: ./ChronoJsonDiffPatch
         run: dotnet restore
diff --git a/README.md b/README.md
@@ -15,7 +15,6 @@ dotnet add package ChronoJsonDiffPatch
 | Version     | Number                                                                  |
 | ----------- | ----------------------------------------------------------------------- |
 | Stable      | ![Nuget Package](https://badgen.net/nuget/v/ChronoJsonDiffPatch)        |
-| Pre-Release | ![Nuget Prerelease](https://badgen.net/nuget/v/ChronoJsonDiffPatch/pre) |
 
 ## Usage / Minimal Working Example
 
@@ -134,8 +133,5 @@ The patches then look like this:
 - The code has [at least a 90%](https://github.com/Hochfrequenz/chrono_json_diff_patch/blob/main/.github/workflows/unittests_and_coverage.yml#L34) unit test coverage. ✔️
 - The ChronoJsonDiffPatch package has no dependencies except for `TimePeriodLibrary.NET` and `JsonDiffPatch.NET`. ✔️
 
-## Release Workflow
-
-To create a **pre-release** nuget package, create a tag of the form `prerelease-vx.y.z` where `x.y.z` is the semantic version of the pre-release. This will create and push nuget packages with the specified version `x.y.z` and a `-betaYYYYMMDDHHmmss` suffix.
 
 To create a **release** nuget package, create a tag of the form `vx.y.z` where `x.y.z` is the semantic version of the release. This will create and push nuget packages with the specified version `x.y.z`.
