From 3f73f4909ab1ab81220602278fb4a83f191f9243 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:01:38 +0900 Subject: [PATCH 1/4] ci: use OIDC for NuGet package push authentication This updates the build-release workflow to leverage OpenID Connect (OIDC) for authenticating with NuGet.org. The package push operation is now performed directly within the build job, replacing static API key usage with ephemeral credentials for enhanced security. --- .github/workflows/build-release.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 9f66d35..4796a2d 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -30,6 +30,16 @@ jobs: name: nuget path: ./publish retention-days: 1 + # push nuget + - name: NuGet login (OIDC) + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} create-release: needs: [build-dotnet] @@ -41,7 +51,7 @@ jobs: commit-id: ${{ github.sha }} tag: ${{ inputs.tag }} dry-run: ${{ inputs.dry-run }} - nuget-push: true + nuget-push: false release-upload: false release-format: "{0}" secrets: inherit From fafe35bc2a6c965ef72480f76531e2066c00e3b8 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:46:25 +0900 Subject: [PATCH 2/4] ci: id-token permission --- .github/workflows/build-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 4796a2d..1f924bf 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -16,6 +16,7 @@ jobs: build-dotnet: permissions: contents: read + id-token: write # required for NuGet Trusted Publish runs-on: ubuntu-24.04 timeout-minutes: 10 steps: From 8df415de1523b7312c59e75bfab26895b4242623 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:03:17 +0900 Subject: [PATCH 3/4] ci: handle SymbolPackageFormat on build --- .github/workflows/build-canary.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-canary.yaml b/.github/workflows/build-canary.yaml index c9dfe71..1853ddb 100644 --- a/.github/workflows/build-canary.yaml +++ b/.github/workflows/build-canary.yaml @@ -9,7 +9,7 @@ on: tags: - "!*" # not a tag pus paths-ignore: - - '**.md' + - "**.md" - .github/** - docs/** - samples/** @@ -29,7 +29,7 @@ jobs: - run: echo "MULTICASTER_VERSION=${MULTICASTER_VERSION}" - run: dotnet tool restore - run: dotnet build -c Release -p:DefineConstants=RUNNING_IN_CI -p:VersionSuffix=${MULTICASTER_VERSION} - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -p:VersionSuffix=${MULTICASTER_VERSION} -o ./publish + - run: dotnet pack -c Release --no-build -p:VersionSuffix=${MULTICASTER_VERSION} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: name: nuget From 512be2a2612d8f74ac8ef3e39a55b2c38db59989 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:20:35 +0900 Subject: [PATCH 4/4] ci: publish symbol files --- .github/workflows/build-release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 1f924bf..1db8a2d 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -41,6 +41,10 @@ jobs: if: ${{ !inputs.dry-run }} env: NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} + - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} create-release: needs: [build-dotnet]