Skip to content

ci: publish to NuGet via Trusted Publishing (OIDC)#183

Merged
mikekono merged 3 commits into
masterfrom
judah/nuget-trusted-publishing-oidc
Jun 26, 2026
Merged

ci: publish to NuGet via Trusted Publishing (OIDC)#183
mikekono merged 3 commits into
masterfrom
judah/nuget-trusted-publishing-oidc

Conversation

@fern-support

Copy link
Copy Markdown
Collaborator

What

Switches NuGet publishing from a long-lived NUGET_API_KEY secret to nuget.org Trusted Publishing (OIDC).

The inline Publish to nuget.org step is removed from the ci job and replaced with a dedicated publish job (needs: [ci]) that mints a short-lived key via NuGet/login@v1 using a GitHub OIDC token.

Why

The NUGET_API_KEY recently expired and blocked the 44.1.0-rc.0 publish. Trusted Publishing removes the long-lived secret entirely — keys are short-lived (~1h) and minted per-run, so there's nothing to store or rotate.

This mirrors the OIDC workflow now generated first-class by fern-csharp-sdk 2.69.0 (fern-api/fern#16725). The OIDC mechanics here are copied from that generator's output; the surrounding scaffold is kept aligned to this repo (solution build, dotnet 8.x, legacy-tag exclusions). Since ci.yml is in .fernignore, those customizations are preserved rather than regenerated away.

A separate publish job (vs. inlining into ci) deliberately scopes id-token: write to publishing only, keeping the OIDC mint permission off the job that runs test code.

Required before this can publish

Done on nuget.org (repo admin / Square side):

  1. nuget.org → user menu → Trusted Publishing → create policy:
    • Repository Owner: square
    • Repository: square-dotnet-sdk
    • Workflow File: ci.yml (filename only, no path)
  2. Add a repo secret NUGET_USER = your nuget.org profile name (not email).
  3. After the first successful publish, delete the old NUGET_API_KEY secret.

Notes

  • ci.yml filename is part of the trust-policy contract — renaming it requires updating the policy.
  • continue-on-error: true on tests is preserved, so test failures still don't gate publishing (needs: [ci] proceeds because the ci job stays green).
  • Legacy tags are already excluded at the on: trigger level, so the publish job's if needs no extra guard.

Replace the long-lived NUGET_API_KEY publish step with nuget.org Trusted
Publishing. A dedicated publish job (needs: [ci]) mints a short-lived key via
NuGet/login@v1 using GitHub OIDC, scoping id-token: write to publishing only
(off the test-running job).

Mirrors the OIDC workflow now generated first-class by fern-csharp-sdk 2.69.0
(fern-api/fern#16725), adapted to this repo's solution build, dotnet 8.x, and
legacy-tag exclusions. ci.yml stays in .fernignore so these customizations are
preserved.

Requires a nuget.org trust policy (owner=square, repo=square-dotnet-sdk,
workflow=ci.yml) and a NUGET_USER secret; the NUGET_API_KEY secret can be
removed after the first successful publish.
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
@mikekono mikekono merged commit ec1e8a6 into master Jun 26, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants