Windows icon indicating copy to clipboard operation
Windows copied to clipboard
verified publisher icon CommunityToolkit

feat(actions): add nuget trusted publishing

Open micheloliveira-com opened this issue 3 months ago • 0 comments

Fixes #735

Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

  • Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner ( Microsoft.Toolkit in this case).
  • The old secrets.NUGET_PACKAGE_PUSH_TOKEN secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

  1. Sign in to NuGet.org.
  2. Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
  3. Create a policy:
    • Package owner: you or your organization (e.g. Microsoft.Toolkit).
    • Repository owner: your GitHub org/user (e.g. CommunityToolkit).
    • Repository name: repository name (e.g. Windows).
    • Workflow file: the YAML file under .github/workflows/ (e.g. build.yml).
    • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.

PR Type

What kind of change does this PR introduce?

Nuget Trusted Publishing in .github/workflows/build.yml.

What is the current behavior?

What is the new behavior?

PR Checklist

Please check if your PR fulfills the following requirements:

  • [x] Created a feature/dev branch in your fork (vs. submitting directly from a commit on main)
  • [x] Based off latest main branch of toolkit
  • [ ] Tested code with current supported SDKs
  • [ ] New component
    • [ ] Documentation has been added
    • [ ] Sample in sample app has been added
    • [ ] Analyzers are passing for documentation and samples
    • [ ] Icon has been created (if new sample) following the Thumbnail Style Guide and templates
  • [ ] Tests for the changes have been added (if applicable)
  • [ ] Header has been added to all new source files
  • [x] Contains NO breaking changes

Other information

micheloliveira-com avatar Sep 27 '25 13:09 micheloliveira-com