From 40042bf094e0a571a1338166dec312f1966f0714 Mon Sep 17 00:00:00 2001 From: tiger tiger tiger Date: Tue, 16 Jun 2026 18:39:02 +0200 Subject: [PATCH 1/2] ci: add manual NuGet publish workflow; bump version to 0.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - .github/workflows/publish.yml: workflow_dispatch-triggered pipeline that restores, runs the test suite (Debug, matching CI — the constraint `*_Throws` tests are #if DEBUG-gated), packs the generator in Release, uploads the .nupkg artifact, and pushes to nuget.org with --skip-duplicate. A `dry_run` input packs without pushing. - Bump newtype package version 0.5.1 -> 0.6.0. Requires a NUGET_API_KEY repository secret for the push step. --- .github/workflows/publish.yml | 55 ++++++++++++++++++++++ NewType.Generator/NewType.Generator.csproj | 2 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..78131a8 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,55 @@ +name: Publish to NuGet + +# Manually triggered release pipeline. The package version is taken from +# in NewType.Generator/NewType.Generator.csproj. +on: + workflow_dispatch: + inputs: + dry_run: + description: "Pack only — build the package but do not push to NuGet" + type: boolean + default: false + +permissions: + contents: read + +jobs: + publish: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 10.0.x + + - name: Restore + run: dotnet restore + + # Gate the release on the test suite. Run in Debug: constraint-validation + # checks are emitted under `#if DEBUG`, so the `*_Throws` tests only exercise + # the generated guards in a Debug build (matches the CI workflow). + - name: Test + run: dotnet test -c Debug --no-restore --verbosity normal + + - name: Pack + run: dotnet pack NewType.Generator/NewType.Generator.csproj -c Release --no-restore -o ${{ runner.temp }}/artifacts + + - name: List package + run: ls -l ${{ runner.temp }}/artifacts + + - name: Upload package artifact + uses: actions/upload-artifact@v4 + with: + name: nuget-package + path: ${{ runner.temp }}/artifacts/*.nupkg + + - name: Push to NuGet + if: ${{ !inputs.dry_run }} + run: > + dotnet nuget push "${{ runner.temp }}/artifacts/*.nupkg" + --api-key "${{ secrets.NUGET_API_KEY }}" + --source https://api.nuget.org/v3/index.json + --skip-duplicate diff --git a/NewType.Generator/NewType.Generator.csproj b/NewType.Generator/NewType.Generator.csproj index 4de361b..8ef35ba 100644 --- a/NewType.Generator/NewType.Generator.csproj +++ b/NewType.Generator/NewType.Generator.csproj @@ -10,7 +10,7 @@ newtype - 0.5.1 + 0.6.0 Moritz Voss Copyright (c) 2026 Moritz Voss Source generator for creating distinct type aliases with full operator forwarding From acd71623e07af9e2687c84057c6828034f972f2c Mon Sep 17 00:00:00 2001 From: tiger tiger tiger Date: Tue, 16 Jun 2026 18:44:52 +0200 Subject: [PATCH 2/2] ci: use NuGet Trusted Publishing (OIDC) instead of a stored API key Replace the NUGET_API_KEY secret with NuGet Trusted Publishing: - add `id-token: write` permission to request a GitHub OIDC token - use NuGet/login@v1 to exchange the OIDC token for a short-lived API key (gated on !dry_run), keyed to a nuget.org Trusted Publishing policy; the nuget.org account is read from the NUGET_USER repo variable - push using the temporary key from the login step's output No long-lived secret is stored. Requires a Trusted Publishing policy on nuget.org (repo outfox/newtype, workflow publish.yml) and a NUGET_USER repository variable. --- .github/workflows/publish.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 78131a8..f70fa03 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,7 +1,8 @@ name: Publish to NuGet -# Manually triggered release pipeline. The package version is taken from -# in NewType.Generator/NewType.Generator.csproj. +# Manually triggered release pipeline using NuGet Trusted Publishing (OIDC) — +# no long-lived API key is stored. The package version is taken from +# in NewType.Generator/NewType.Generator.csproj. on: workflow_dispatch: inputs: @@ -12,6 +13,7 @@ on: permissions: contents: read + id-token: write # required to request the GitHub OIDC token for Trusted Publishing jobs: publish: @@ -46,10 +48,20 @@ jobs: name: nuget-package path: ${{ runner.temp }}/artifacts/*.nupkg + # Exchange the GitHub OIDC token for a short-lived NuGet API key via the + # Trusted Publishing policy configured on nuget.org. `NUGET_USER` is a repo + # variable holding the nuget.org account that owns the policy. + - name: NuGet login (Trusted Publishing) + if: ${{ !inputs.dry_run }} + id: nuget-login + uses: NuGet/login@v1 + with: + user: ${{ vars.NUGET_USER }} + - name: Push to NuGet if: ${{ !inputs.dry_run }} run: > dotnet nuget push "${{ runner.temp }}/artifacts/*.nupkg" - --api-key "${{ secrets.NUGET_API_KEY }}" + --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate