Skip to content

Use NuGet Trusted Publishing (OIDC) instead of static API key #19

Use NuGet Trusted Publishing (OIDC) instead of static API key

Use NuGet Trusted Publishing (OIDC) instead of static API key #19

name: RocketModFix.UnityEngine.Redist
on:
push:
branches: [ master ]
paths:
- 'redist/**'
- '.github/workflows/RocketModFix.UnityEngine.Redist.yaml'
workflow_dispatch:
jobs:
build:
name: "RocketModFix.UnityEngine.Redist Pack"
runs-on: ubuntu-22.04
# Trusted Publishing: id-token lets NuGet/login mint a short-lived key via OIDC.
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v7
- uses: actions/setup-dotnet@v5
name: Setup .NET
env:
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
with:
dotnet-version: 8.x
- uses: nuget/setup-nuget@v4
name: Setup NuGet
with:
nuget-version: '5.x'
- name: Pack
run: nuget pack redist/RocketModFix.UnityEngine.Redist.nuspec
# Exchange the GitHub OIDC token for a ~1h NuGet key, right before push.
- name: NuGet login (OIDC -> temp API key)
uses: NuGet/login@v1
id: nuget-login
with:
user: ${{ secrets.NUGET_USER }}
- name: Push to NuGet
run: dotnet nuget push *.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json