Use NuGet/login@v1 action instead of manual OIDC curl for trusted publishing

Copilot · corpo-iwillspeak · web-flow · commit 1bc9b270ee17 · 2026-04-01T10:17:17.000Z
Agent-Logs-Url: https://github.com/crispthinking/FastText.NetWrapper/sessions/1e170fc6-c3a2-4651-85a5-ab9e754e253f Co-authored-by: corpo-iwillspeak <265613520+corpo-iwillspeak@users.noreply.github.com>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -31,17 +31,13 @@ jobs:
       - name: Publish NuGet Packages to GitHub Packages
         run: dotnet nuget push bin/artifacts/**/*.nupkg --api-key ${{ secrets.GITHUB_TOKEN }} --source https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json --skip-duplicate
 
+      - name: NuGet login (OIDC → temp API key)
+        if: github.event_name == 'release'
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Publish NuGet package
         if: github.event_name == 'release'
-        run: |
-          OIDC_TOKEN=$(curl --silent --show-error --fail-with-body \
-            --url "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" \
-            --header "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            | jq --raw-output '.value')
-          API_KEY=$(curl --silent --show-error --fail-with-body \
-            --request POST \
-            --url "https://api.nuget.org/v1/authentication/authenticate" \
-            --header "Content-Type: application/json" \
-            --data "{\"oidcToken\": \"$OIDC_TOKEN\"}" \
-            | jq --raw-output '.apiKey')
-          dotnet nuget push bin/artifacts/**/*.nupkg --api-key "$API_KEY" --source "https://api.nuget.org/v3/index.json" --skip-duplicate
+        run: dotnet nuget push bin/artifacts/**/*.nupkg --api-key "${{ steps.login.outputs.apiKey }}" --source "https://api.nuget.org/v3/index.json" --skip-duplicate
