René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Migrate to NuGet.org Trusted Publishing (OIDC)","articleBody":"## Description\n\nWe currently publish NuGet packages using a static `NUGET_API_KEY`. We need to migrate this process to use **NuGet.org's trusted publishing** feature (OIDC). This method enhances security by eliminating the need to store long-lived API keys.\n\nThis migration is split into two parts: **Part 1** updates the workflow file and can be merged immediately. **Part 2** involves configuring NuGet.org and should be done right before the next release to avoid any token/trust expiration issues.\n\n**Official Documentation:**\n\n  * [NuGet.org Trusted Publishing](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing)\n  * [Recommended GitHub Action approach](https://andrewlock.net/easily-publishing-nuget-packages-from-github-actions-with-trusted-publishing/)\n\n-----\n\n## Part 1: Prepare Workflow and Secrets (Can be done now)\n\nThis part updates the repository's workflow file to use OIDC and adds the necessary secret, preparing the file for the switch. It won't break the current `NUGET_API_KEY` publishing yet.\n\n### 1. Configure Repository Secret\n\n  * [x] Go to **Settings \\\u003e Secrets and variables \\\u003e Actions**.\n  * [x] Add a new repository secret named: `NUGET_USER`\n  * [x] The value of this secret should be the **username** (typically your email address or account name) of the NuGet.org account that owns the package(s).\n\n### 2. Update `publish-nuget.yml`\n\n  * [ ] In `.github/workflows/publish-nuget.yml`, find the `publish` job.\n\n  * [ ] **Add the `permissions` block** to the `publish` job (this is required for OIDC token issuance):\n\n    ```yaml\n    jobs:\n      publish:\n        runs-on: ubuntu-latest\n        permissions:             # Add this block\n          id-token: write\n\n        steps:\n          - name: Checkout code\n            # ... rest of the steps ...\n    ```\n\n  * [ ] **Add a new step** that uses the `NuGet/login@v1` action to exchange the OIDC token for a temporary API key. Place this step before the \"Publish to NuGet\" step:\n\n    ```yaml\n    # ... previous steps (e.g., build, pack) ...\n\n        - name: NuGet login (OIDC → temp API key)\n          uses: NuGet/login@v1\n          id: login\n          with:\n            # This secret is configured in step 1 of Part 1.\n            user: ${{ secrets.NUGET_USER }}\n\n        # The next step will now use the output of this 'login' step.\n    ```\n\n  * [ ] **Update the \"Publish to NuGet\" step** to **remove** the static `secrets.NUGET_API_KEY` and **use the temporary key** generated by the `NuGet/login` step:\n\n      * **Before:**\n\n        ```yaml\n        - name: Publish to NuGet\n          run: dotnet nuget push ./output/*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json\n        ```\n\n      * **After:**\n\n        ```yaml\n        - name: Publish to NuGet\n          # IMPORTANT: Use the output of the 'login' step (steps.login.outputs.NUGET_API_KEY)\n          run: dotnet nuget push ./output/*.nupkg --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json\n        ```\n\n  * [ ] **Merge** these changes into the main branch. The workflow will still use the old static key if present, or it will now be prepared for the OIDC switch.\n\n-----\n\n## Part 2: Go-Live at Next Release (Do all at once)\n\nPerform these steps when you are ready to publish the next package version and fully switch to Trusted Publishing.\n\n### 1. Configure nuget.org Trusted Publisher\n\n  * [ ] Go to nuget.org and log in to the account that owns the package(s).\n  * [ ] Navigate to **Manage Account \\\u003e Trusted Publishers**.\n  * [ ] Add a new trusted publisher with the following details:\n      * **GitHub Owner:** `ByteAether`\n      * **GitHub Repository:** `Ulid`\n      * **GitHub workflow file:** `publish-nuget.yml`\n      * **GitHub environment:** Leave this field **blank** (unless you are using a protected environment).\n\n### 2. Trigger Publish \u0026 Verify\n\n  * [ ] Trigger the release workflow (e.g., by publishing a new release or using `workflow_dispatch`).\n  * [ ] Go to the \"Actions\" tab and confirm the workflow runs successfully.\n  * [ ] Check the workflow logs for the \"NuGet login\" and \"Publish to NuGet\" steps to ensure they completed without errors.\n  * [ ] Verify the new package version is visible on nuget.org.\n\n### 3\\. Cleanup (If organization doesn't use `NUGET_API_KEY` anywhere anymore)\n\n  * [ ] After verifying the new publishing method works, go to **Settings \\\u003e Secrets and variables \\\u003e Actions**.\n  * [ ] **Delete** the old `NUGET_API_KEY` repository secret. **Do not delete `NUGET_USER`**.","author":{"url":"https://github.com/Seramis","@type":"Person","name":"Seramis"},"datePublished":"2025-12-21T18:38:29.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/7/QueryLink/issues/7"}