You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/nuget-org/trusted-publishing.md
+21-8Lines changed: 21 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,14 @@ This makes your publishing process safer by reducing the risk of leaked credenti
17
17
18
18
## How it works
19
19
20
-
Here’s the basic flow:
20
+
When your GitHub Actions workflow runs, it requests an encrypted OIDC token from github.com. This token
21
+
includes information about your repository and workflow, and is cryptographically signed by GitHub Actions to prevent
22
+
tampering. The workflow forwards this token to nuget.org, which securely validates the token’s
23
+
authenticity with github.com using industry-standard cryptographic methods. A token exchange endpoint on nuget.org then checks
24
+
that the token’s details match a trusted publishing policy you’ve configured. If everything matches,
25
+
nuget.org issues a short-lived API key for your workflow to use when publishing your package.
26
+
27
+
**Here’s the basic flow**
21
28
22
29
1. Your CI/CD system (like GitHub Actions) runs a workflow.
23
30
2. It issues a short-lived token.
@@ -27,7 +34,7 @@ Here’s the basic flow:
27
34
28
35
29
36
30
-
NuGet’s temporary API keys are valid for **15 minutes**, so your workflow should request the key shortly before publishing.
37
+
NuGet’s temporary API keys are valid for **1 hour**, so your workflow should request the key shortly before publishing.
31
38
If you request it too early, it might expire before the push happens.
32
39
33
40
Each short-lived token can only be used once to obtain a single temporary API key—one token, one API key.
@@ -39,11 +46,17 @@ This setup gives you a secure and automated way to publish packages, without the
39
46
40
47
To get started:
41
48
42
-
1. Log into nuget.org.
43
-
2. Click your username and choose **Trusted Publishing**.
44
-
3. Add a new trusted publishing policy. You’ll need to provide your GitHub org, repo, workflow file, and few other details.
45
-
4. In your GitHub repo, update your workflow to request a short-lived API key and push your package.
46
-
49
+
1. Log into **nuget.org**.
50
+
2. Click your username and choose **Trusted Publishing**.
51
+
3. Add a new trusted publishing policy. For a GitHub repository `https://github.com/contoso/contoso-sdk`
52
+
with a workflow file `.github/workflows/build.yml` enter the following trusted policy details (case‑insensitive):
53
+
-**Repository Owner:**`contoso`
54
+
-**Repository:**`contoso-sdk`
55
+
-**Workflow File:**`build.yml`
56
+
> This corresponds to your workflow at `.github/workflows/build.yml`. Enter the **file name only** (`build.yml`)—do not include the `.github/workflows/` path.
57
+
-**Environment (optional):**`release`
58
+
> Enter environment if your workflow uses e.g. `environment: release` and you want to restrict this policy to that environment. Leave this empty if you do not use GitHub Actions environments.
59
+
4. In your **GitHub repo**, update your workflow to request a short‑lived API key and push your package.
47
60
Here’s a basic example:
48
61
49
62
```yaml
@@ -60,7 +73,7 @@ jobs:
60
73
uses: NuGet/login@v1
61
74
id: login
62
75
with:
63
-
user: ${{secrets.NUGET_USER}}
76
+
user: contoso-bot # Recommended: use a secret like ${{secrets.NUGET_USER }} for your nuget.org username (profile name), NOT your email address
0 commit comments