[DEVOPS-3949] ci(nuget): use Trusted Publishing auth

dion-gionet · dion-gionet · commit 5406f218241f · 2025-11-20T14:25:12.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v4
 
@@ -42,10 +44,16 @@ jobs:
       run: |
         7z x nugets.zip -o./nugets
 
+    - name: NuGet login (OIDC)
+      id: nuget-login
+      uses: NuGet/login@v1
+      with:
+        user: ${{ secrets.NUGET_BOT_USERNAME }}
+
     - name: Publish NuGet
       if: ${{ inputs.publish_nuget }}
       run: |
-        COMMAND="dotnet nuget push ./nugets/Devolutions.BCryptPbkdf.Net.*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
+        COMMAND="dotnet nuget push ./nugets/Devolutions.BCryptPbkdf.Net.*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
 
         if [ '${{ inputs.publish_dry_run }}' == 'true' ]; then
           echo "Dry Run : True"
@@ -55,6 +63,6 @@ jobs:
 
         echo "Running : $COMMAND"
 
-        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then # if not dry run, actually run the command
+        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then
           eval "$COMMAND"
         fi
