[DEVOPS-3949] ci(nuget): use Trusted Publishing auth

dion-gionet · dion-gionet · commit 154ddfc1bf76 · 2025-11-20T14:25:05.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,11 +10,13 @@ on:
         description: "Dry Run Mode"
         required: true
         type: boolean
-        
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v4
 
@@ -40,10 +42,16 @@ jobs:
     - name: Extract Artifacts
       run: 7z x nugets.zip -o./nugets
 
+    - name: NuGet login (OIDC)
+      id: nuget-login
+      uses: NuGet/login@v1
+      with:
+        user: ${{ secrets.NUGET_BOT_USERNAME }}
+
     - name: Publish NuGet
       if: ${{ inputs.publish_nuget }}
       run: |
-        COMMAND="dotnet nuget push ./nugets/Devolutions.XTS.NET.*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
+        COMMAND="dotnet nuget push ./nugets/Devolutions.XTS.NET.*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
 
         if [ '${{ inputs.publish_dry_run }}' == 'true' ]; then
           echo "Dry Run : True"
@@ -53,6 +61,6 @@ jobs:
 
         echo "Running : $COMMAND"
 
-        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then # if not dry run, actually run the command
+        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then
           eval "$COMMAND"
         fi
