dotnet
feat(actions): add nuget trusted publishing
Motivation
As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.
We successfully tested this approach with our own NuGet library:
Required changes in this repository
Recommendation followed from announcement:
For security, always use a GitHub secret like${{ secrets.NUGET_USER }}for your NuGet.org username (profile name), not your email address.
- Add
secrets.NUGET_USERto this repository, using the NuGet.org username (profile name) of the package owner ( dotnetfoundation in this case). - The old
secrets.NUGET_APIKEYsecret can be removed from this repository and also from the NuGet.org account if it was only used here.
One-time configuration on NuGet.org
According to the documentation:
- Sign in to NuGet.org.
- Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
- Create a policy:
- Package owner: you or your organization (e.g.
dotnetfoundation). - Repository owner: your GitHub org/user (e.g.
dotnet). - Repository name: repository name (e.g.
Open-XML-SDK). - Workflow file: the YAML file under
.github/workflows/(e.g.release.yml). - Environment (optional): specify if your workflow uses GitHub Actions environments.
- Package owner: you or your organization (e.g.
This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.
Test Results
58 files - 2 58 suites - 2 57m 58s ⏱️ + 4m 44s 2 060 tests ± 0 2 057 ✅ ± 0 3 💤 ±0 0 ❌ ±0 32 325 runs - 207 32 289 ✅ - 207 36 💤 ±0 0 ❌ ±0
Results for commit ed6f1819. ± Comparison against base commit 307fa23e.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@twsouthwick, @tomjebo ,
This looks like a good idea to me, what do you think?
