Switch to NuGet Trusted Publishing (#1533)

Author: zvirja

.github/workflows/continuous.yml

@@ -1,19 +1,3 @@
-# ------------------------------------------------------------------------------
-# <auto-generated>
-#
-#     This code was generated.
-#
-#     - To turn off auto-generation set:
-#
-#         [GitHubActions (AutoGenerate = false)]
-#
-#     - To trigger manual generation invoke:
-#
-#         nuke --generate-configuration GitHubActions_continuous --host GitHubActions
-#
-# </auto-generated>
-# ------------------------------------------------------------------------------
-
 name: continuous
 
 on:
@@ -32,11 +16,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+
       - uses: actions/setup-dotnet@v4
         with:
           dotnet-version: |
             6.0.x
+
+
       - name: Run './build.cmd Verify Cover Pack'
         run: ./build.cmd Verify Cover Pack --no-logo
-        env:
-          GitHubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,19 +1,3 @@
-# ------------------------------------------------------------------------------
-# <auto-generated>
-#
-#     This code was generated.
-#
-#     - To turn off auto-generation set:
-#
-#         [GitHubActions (AutoGenerate = false)]
-#
-#     - To trigger manual generation invoke:
-#
-#         nuke --generate-configuration GitHubActions_release --host GitHubActions
-#
-# </auto-generated>
-# ------------------------------------------------------------------------------
-
 name: release
 
 on:
@@ -22,30 +6,46 @@ on:
       - 'v*'
 
 jobs:
-  windows-latest:
+  windows-latest:  
     name: windows-latest
     runs-on: windows-latest
+
+    permissions:
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+
+        # Read more: https://devblogs.microsoft.com/dotnet/enhanced-security-is-here-with-the-new-trust-publishing-on-nuget-org/  
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: nugetLogin
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - uses: actions/setup-dotnet@v4
         with:
           dotnet-version: |
             6.0.x
+
+          
       - name: Run './build.cmd Verify Cover Publish'
         run: ./build.cmd Verify Cover Publish --no-logo
         env:
-          GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
+          NUGET_API_KEY: ${{ steps.nugetLogin.outputs.NUGET_API_KEY }}
+
       - uses: actions/upload-artifact@v4
         with:
           name: testresults
           path: artifacts/testresults
+
       - uses: actions/upload-artifact@v4
         with:
           name: reports
           path: artifacts/reports
+
       - uses: actions/upload-artifact@v4
         with:
           name: packages

build/Build.cs

@@ -24,16 +24,14 @@
     AutoGenerate = false,
     OnPullRequestBranches = new[] { MasterBranch, ReleaseBranch },
     PublishArtifacts = false,
-    InvokedTargets = new[] { nameof(Verify), nameof(Cover), nameof(Pack) },
-    EnableGitHubToken = true)]
+    InvokedTargets = new[] { nameof(Verify), nameof(Cover), nameof(Pack) })]
 [GitHubActions(
     "release",
     GitHubActionsImage.WindowsLatest,
     AutoGenerate = false,
     OnPushTags = new[] { "v*" },
     PublishArtifacts = true,
     InvokedTargets = new[] { nameof(Verify), nameof(Cover), nameof(Publish) },
-    EnableGitHubToken = true,
     ImportSecrets = new[] { Secrets.NuGetApiKey })]
 partial class Build : NukeBuild
 {
@@ -50,7 +48,6 @@ partial class Build : NukeBuild
     [GitVersion] readonly GitVersion GitVersion;
     [CI] readonly GitHubActions GitHubActions;
 
-    [Parameter("GitHub auth token", Name = "github-token"), Secret] readonly string GitHubToken;
     [Parameter("Forces the continuous integration build flag")] readonly bool CI;
 
     [Secret] [Parameter("NuGet API Key (secret)", Name = Secrets.NuGetApiKey)] readonly string NuGetApiKey;