Skip to content

Add OIDC token exchange for NuGet trusted publishing#34

Merged
Aaronontheweb merged 2 commits into
netclaw-dev:devfrom
Aaronontheweb:fix/trusted-publishing-oidc-exchange
Apr 23, 2026
Merged

Add OIDC token exchange for NuGet trusted publishing#34
Aaronontheweb merged 2 commits into
netclaw-dev:devfrom
Aaronontheweb:fix/trusted-publishing-oidc-exchange

Conversation

@Aaronontheweb

Copy link
Copy Markdown
Contributor

Summary

The publish_nuget.yml workflow had id-token: write permission but was never exchanging the GitHub OIDC token for a temporary NuGet API key. As a result, dotnet nuget push fell back to the v2 endpoint and failed with a 401.

Changes

  • Add NuGet/login@v1 step to exchange OIDC token for short-lived API key
  • Pass the temp key via --api-key to both dotnet nuget push commands

Root Cause

Without the NuGet/login step, there was no API key in scope. dotnet nuget push with -s but no --api-key doesn't use the v3 endpoint for trusted publishing — it falls back to v2 (https://www.nuget.org/api/v2/package) which requires a traditional API key.

Fixes the Publish NuGet CI job failure from run #24851085466.

The NuGet/login action exchanges the GitHub OIDC token for a
short-lived API key, which is required for trusted publishing to work.
@Aaronontheweb Aaronontheweb enabled auto-merge (squash) April 23, 2026 18:21
@Aaronontheweb Aaronontheweb merged commit 66a9c42 into netclaw-dev:dev Apr 23, 2026
5 checks passed
@Aaronontheweb Aaronontheweb deleted the fix/trusted-publishing-oidc-exchange branch April 23, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant