From 6d6d9452ae03abe8088d01df239c419d38070186 Mon Sep 17 00:00:00 2001 From: Brant Burnett Date: Thu, 27 Nov 2025 09:52:59 -0500 Subject: [PATCH 1/4] Use OIDC to authenticate with NuGet.org --- .github/workflows/build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e52f442..93dc87d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,10 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: - name: Checkout uses: actions/checkout@v5 @@ -66,8 +70,15 @@ jobs: dotnet nuget add source --name github https://nuget.pkg.github.com/CenterEdge/index.json && dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.GITHUB_TOKEN }} -s github + - name: NuGet login (OIDC → temp API key) + if: ${{ startsWith(github.ref, 'refs/tags/') }} + uses: NuGet/login@v1 + id: login + with: + user: ${{ vars.NUGET_USER }} + - name: Push to NuGet.org working-directory: ./src # Publish tagged releases to NuGet.org if: ${{ startsWith(github.ref, 'refs/tags/') }} - run: dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.NUGET_API_KEY }} -s nuget.org + run: dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ steps.login.outputs.NUGET_API_KEY }} -s nuget.org From 95aa0e45299a82a0a23248e7edfec4f3e8a02c92 Mon Sep 17 00:00:00 2001 From: Brant Burnett Date: Thu, 27 Nov 2025 09:55:10 -0500 Subject: [PATCH 2/4] allow packages write --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93dc87d..759d29e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: read id-token: write + packages: write steps: - name: Checkout From 78b0f9738068ede15c590e6f9092c3ab34feda9c Mon Sep 17 00:00:00 2001 From: Brant Burnett Date: Thu, 27 Nov 2025 09:58:39 -0500 Subject: [PATCH 3/4] skip packages upload from forks --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 759d29e..c80553a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,7 +66,7 @@ jobs: - name: Push working-directory: ./src # Publish CI packages from PRs and tagged releases - if: ${{ startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') }} + if: ${{ (startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/')) && !github.event.pull_request.head.repo.fork }} run: | dotnet nuget add source --name github https://nuget.pkg.github.com/CenterEdge/index.json && dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.GITHUB_TOKEN }} -s github From 1905489b19a911839a581a7531ff408a050b2de7 Mon Sep 17 00:00:00 2001 From: Brant Burnett Date: Thu, 27 Nov 2025 10:01:38 -0500 Subject: [PATCH 4/4] smarter --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c80553a..ea2c8d1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,7 +66,7 @@ jobs: - name: Push working-directory: ./src # Publish CI packages from PRs and tagged releases - if: ${{ (startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/')) && !github.event.pull_request.head.repo.fork }} + if: ${{ startsWith(github.ref, 'refs/tags/') || (startsWith(github.ref, 'refs/pull/')) && !github.event.pull_request.head.repo.fork }} run: | dotnet nuget add source --name github https://nuget.pkg.github.com/CenterEdge/index.json && dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.GITHUB_TOKEN }} -s github