fix: Add OIDC token retrieval for NuGet Trusted Publishing

randlee · claude · randlee · commit 283ee3155b2c · 2025-10-26T17:14:50.000-07:00
dotnet nuget push doesn't automatically use OIDC tokens. Need to manually retrieve the token and pass it as --api-key. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -43,8 +43,15 @@ jobs:
         echo "Package ID: Rand.MDTool"
         echo "Version: $(grep -oP '(?<=<Version>)[^<]+' src/MDTool/MDTool.csproj)"
 
+    - name: Get OIDC token
+      id: oidc
+      run: |
+        OIDC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" | jq -r '.value')
+        echo "::add-mask::$OIDC_TOKEN"
+        echo "token=$OIDC_TOKEN" >> $GITHUB_OUTPUT
+
     - name: Publish to NuGet
-      run: dotnet nuget push ./nupkg/*.nupkg --source https://api.nuget.org/v3/index.json --skip-duplicate
+      run: dotnet nuget push ./nupkg/*.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ steps.oidc.outputs.token }} --skip-duplicate
 
     - name: Upload package as artifact
       uses: actions/upload-artifact@v4
