Skip to content

Hardcode NuGet trusted publishing user#3266

Open
jfversluis wants to merge 1 commit into
mainfrom
jfversluis-hardcode-nuget-publisher
Open

Hardcode NuGet trusted publishing user#3266
jfversluis wants to merge 1 commit into
mainfrom
jfversluis-hardcode-nuget-publisher

Conversation

@jfversluis

Copy link
Copy Markdown
Member

⚠️ Mandatory before the next release

This PR must be merged before the next release. Otherwise, NuGet trusted publishing will fail at the NuGet login (OIDC) step because the environment-scoped NUGET_USER secret is being removed.

Description of Change

Uses the literal nuget.org username jfversluis_MSFT for NuGet/login instead of reading it from secrets.NUGET_USER.

The username is a public publisher identifier, not a credential. Trusted publishing remains unchanged: GitHub Actions OIDC still obtains the short-lived NuGet API key exposed through steps.login.outputs.NUGET_API_KEY, and the workflow continues to use that key for package publishing.

Linked Issues

  • N/A — focused release infrastructure follow-up

PR Checklist

  • Has a linked Issue, and the Issue has been approved(bug) or Championed (feature/proposal) — N/A; release infrastructure fix
  • Has tests (if omitted, state reason in description) — N/A; one-line workflow configuration change
  • Has samples (if omitted, state reason in description) — N/A; no product behavior change
  • Rebased on top of main at time of PR
  • Changes adhere to coding standard
  • Documentation created or updated: https://github.com/MicrosoftDocs/CommunityToolkit/pulls — N/A; no public API or documentation change

Additional information

Validation:

  • Ruby YAML parser successfully parsed .github/workflows/dotnet-build.yml.
  • git diff --check passed.
  • The diff is limited to one insertion and one deletion in the NuGet/login user input; all OIDC permissions, action pinning, login output handling, and NuGet push behavior remain unchanged.

Copilot AI review requested due to automatic review settings July 16, 2026 20:08
Use the public nuget.org publisher identifier directly so trusted publishing does not depend on an environment-scoped secret.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release pipeline to keep NuGet trusted publishing (OIDC) working after removal of the environment-scoped NUGET_USER secret, by switching the NuGet/login action’s user input to a literal nuget.org username.

Changes:

  • Replaces ${{ secrets.NUGET_USER }} with the literal jfversluis_MSFT for NuGet/login’s user input.
  • Removes the workflow’s dependency on the NUGET_USER secret while preserving OIDC-based API key acquisition and dotnet nuget push usage.
Show a summary per file
File Description
.github/workflows/dotnet-build.yml Hardcodes the NuGet publisher username for NuGet/login to avoid failure when NUGET_USER is removed.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants