diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index ec18b69e2..50271ad80 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -140,6 +140,8 @@ jobs: if: ${{ needs.preflight.outputs.dry_run == 'false' }} needs: [preflight, nuget-merge] runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Download NuGet packages artifact @@ -148,6 +150,12 @@ jobs: name: nupkg path: nuget-packages + - name: NuGet login (OIDC) + id: nuget-login + uses: NuGet/login@v1 + with: + user: ${{ secrets.NUGET_BOT_USERNAME }} + - name: Publish to nuget.org run: | Set-PSDebug -Trace 1 @@ -161,7 +169,7 @@ jobs: 'push', "$File", '--api-key', - '${{ secrets.NUGET_API_KEY }}', + '${{ steps.nuget-login.outputs.NUGET_API_KEY }}', '--source', 'https://api.nuget.org/v3/index.json', '--skip-duplicate' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 708f034be..5c978217e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -507,6 +507,8 @@ jobs: if: ${{ needs.preflight.outputs.skip-publishing == 'false' || inputs.dry-run }} needs: [preflight] runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Download jetsocat-nuget artifact @@ -515,6 +517,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: NuGet login (OIDC) + id: nuget-login + uses: NuGet/login@v1 + with: + user: ${{ secrets.NUGET_BOT_USERNAME }} + - name: Publish Jetsocat NuGet package run: | Set-PSDebug -Trace 1 @@ -528,7 +536,7 @@ jobs: 'push', "$($Package.FullName)", '--api-key', - '${{ secrets.NUGET_API_KEY }}', + '${{ steps.nuget-login.outputs.NUGET_API_KEY }}', '--source', 'https://api.nuget.org/v3/index.json', '--skip-duplicate'