ci: publish to NuGet via Trusted Publishing (OIDC)#183
Merged
Conversation
Replace the long-lived NUGET_API_KEY publish step with nuget.org Trusted Publishing. A dedicated publish job (needs: [ci]) mints a short-lived key via NuGet/login@v1 using GitHub OIDC, scoping id-token: write to publishing only (off the test-running job). Mirrors the OIDC workflow now generated first-class by fern-csharp-sdk 2.69.0 (fern-api/fern#16725), adapted to this repo's solution build, dotnet 8.x, and legacy-tag exclusions. ci.yml stays in .fernignore so these customizations are preserved. Requires a nuget.org trust policy (owner=square, repo=square-dotnet-sdk, workflow=ci.yml) and a NUGET_USER secret; the NUGET_API_KEY secret can be removed after the first successful publish.
mikekono
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Switches NuGet publishing from a long-lived
NUGET_API_KEYsecret to nuget.org Trusted Publishing (OIDC).The inline
Publish to nuget.orgstep is removed from thecijob and replaced with a dedicatedpublishjob (needs: [ci]) that mints a short-lived key viaNuGet/login@v1using a GitHub OIDC token.Why
The
NUGET_API_KEYrecently expired and blocked the44.1.0-rc.0publish. Trusted Publishing removes the long-lived secret entirely — keys are short-lived (~1h) and minted per-run, so there's nothing to store or rotate.This mirrors the OIDC workflow now generated first-class by
fern-csharp-sdk2.69.0 (fern-api/fern#16725). The OIDC mechanics here are copied from that generator's output; the surrounding scaffold is kept aligned to this repo (solution build, dotnet 8.x, legacy-tag exclusions). Sinceci.ymlis in.fernignore, those customizations are preserved rather than regenerated away.A separate
publishjob (vs. inlining intoci) deliberately scopesid-token: writeto publishing only, keeping the OIDC mint permission off the job that runs test code.Required before this can publish
Done on nuget.org (repo admin / Square side):
squaresquare-dotnet-sdkci.yml(filename only, no path)NUGET_USER= your nuget.org profile name (not email).NUGET_API_KEYsecret.Notes
ci.ymlfilename is part of the trust-policy contract — renaming it requires updating the policy.continue-on-error: trueon tests is preserved, so test failures still don't gate publishing (needs: [ci]proceeds because thecijob stays green).on:trigger level, so the publish job'sifneeds no extra guard.