chore(CD): switch from secret API key to Trusted Publishing (#144)

hf-kklein · Konstantin · web-flow · commit 5bd2cdcdd67d · 2025-12-01T10:00:17.000+01:00
Co-authored-by: Konstantin &lt;konstantin.klein+github@hochfrequenz.de&gt;
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -17,7 +17,7 @@ jobs:
         run: |
           curl -s https://github.com/web-flow.gpg | gpg --import
           echo "Imported GitHub keys."
-          
+
           echo "Verifying signature of commit: $GITHUB_SHA"
           if ! git verify-commit "$GITHUB_SHA"; then
             echo "Commit signature verification failed."
@@ -26,4 +26,4 @@ jobs:
       - name: Approve a PR
         run: gh pr review --approve "$PR_URL"
       - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: gh pr merge --auto --squash "$PR_URL"
diff --git a/.github/workflows/release_nuget.yml b/.github/workflows/release_nuget.yml
@@ -35,9 +35,15 @@ jobs:
   push_release:
     needs: run_tests
     if: startsWith(github.ref, 'refs/tags/v')
-    runs-on: windows-latest
+    runs-on: ubuntu-latest
     env:
       ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
+    environment: "release" # has to match the policy name in the nuget.org Trusted Publishing setup.
+    # if the environment name is not set here, you'll run into an error message like "Error: Token exchange failed (401): Environment mismatch for policy 'release': expected 'release', actual ''"
+    # This job is based on the Trusted Publishing Setup.
+    # See https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing for details.
+    permissions:
+      id-token: write # enable GitHub OIDC token issuance for this job
     steps:
       - uses: actions/checkout@v6
       - name: Setup .NET Core
@@ -54,12 +60,13 @@ jobs:
       - name: Create Package TransformerBeeClient (dotnet pack)
         working-directory: "TransformerBeeClient/TransformerBeeClient"
         run: dotnet pack TransformerBeeClient.csproj --configuration Release -p:PackageVersion="${{ steps.tagTBC.outputs.tag }}"
-      - name: Setup Nuget.exe
-        uses: warrenbuckley/Setup-Nuget@v1
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: Hochfrequenz
+          # because the package is owned by hochfrequenz: https://www.nuget.org/packages/TransformerBeeClient
       - name: Nuget push TransformerBeeClient
         working-directory: "TransformerBeeClient/TransformerBeeClient"
-        # token: https://github.com/Hochfrequenz/TransformerBeeClient/settings/secrets/actions/NUGET_ORG_PUSH_TOKEN
-        # expires 2025-02-01
         run: |
-          nuget setApiKey ${{ secrets.NUGET_ORG_PUSH_TOKEN }}
-          nuget push .\bin\Release\*.nupkg -Source https://api.nuget.org/v3/index.json -SkipDuplicate -NoSymbols
+          dotnet nuget push ./bin/Release/*.nupkg --api-key ${{steps.login.outputs.NUGET_API_KEY}} --source https://api.nuget.org/v3/index.json --skip-duplicate
