ci: manual NuGet publish workflow + bump to 0.6.0#8
Conversation
- .github/workflows/publish.yml: workflow_dispatch-triggered pipeline that restores, runs the test suite (Debug, matching CI — the constraint `*_Throws` tests are #if DEBUG-gated), packs the generator in Release, uploads the .nupkg artifact, and pushes to nuget.org with --skip-duplicate. A `dry_run` input packs without pushing. - Bump newtype package version 0.5.1 -> 0.6.0. Requires a NUGET_API_KEY repository secret for the push step.
|
Warning Review limit reached
More reviews will be available in 48 minutes and 41 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Replace the NUGET_API_KEY secret with NuGet Trusted Publishing: - add `id-token: write` permission to request a GitHub OIDC token - use NuGet/login@v1 to exchange the OIDC token for a short-lived API key (gated on !dry_run), keyed to a nuget.org Trusted Publishing policy; the nuget.org account is read from the NUGET_USER repo variable - push using the temporary key from the login step's output No long-lived secret is stored. Requires a Trusted Publishing policy on nuget.org (repo outfox/newtype, workflow publish.yml) and a NUGET_USER repository variable.
Adds a manually-triggered release pipeline and bumps the package to 0.6.0. Publishing uses NuGet Trusted Publishing (OIDC) — no long-lived API key is stored.
.github/workflows/publish.ymlworkflow_dispatch(manual only), with adry_runboolean input that packs without pushing — handy for validating the pipeline.10.0.x→dotnet restore→ test → pack (Release) → upload.nupkgartifact → NuGet login (OIDC) → push to nuget.org.permissions: id-token: writelets the job request a GitHub OIDC token;NuGet/login@v1exchanges it for a short-lived API key tied to a nuget.org Trusted Publishing policy. The push then uses that temporary key (steps.nuget-login.outputs.NUGET_API_KEY). NoNUGET_API_KEYsecret needed.throwunder#if DEBUG, so the*_Throwstests only pass in Debug (same as the existing CI). Packing is still done in Release.dotnet nuget push --skip-duplicateso re-runs of the same version don't hard-fail.Version
newtype0.5.1→0.6.0inNewType.Generator.csproj.Validation
Packed locally in Release — produces
newtype.0.6.0.nupkgwith the expected layout:analyzers/dotnet/cs/NewType.Generator.dllNUGET.md(readme),icon.png,LICENSE<id>newtype</id>,<version>0.6.0</version>outfox, repositorynewtype, workflow filepublish.yml(optionally pin an environment).NUGET_USERrepository variable (Settings → Secrets and variables → Actions → Variables) set to the nuget.org account/username that owns the policy. It's a variable, not a secret — the username isn't sensitive.No API-key secret is required. Run it from the Actions tab → "Publish to NuGet" → Run workflow (optionally tick
dry_runfirst to verify packing).