Make NuGet publish secure

Author: zvirja

.github/workflows/continuous.yml

@@ -4,24 +4,58 @@ on:
   push:
     branches:
       - main
+    tags:
+      - 'v*'
   pull_request:
     branches:
       - main
+      - 'release/*'
 
 jobs:
-  windows-latest:
-    name: windows-latest
+  build:
     runs-on: windows-latest
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-dotnet@v4
+      - uses: actions/setup-dotnet@v5
         with:
           dotnet-version: |
             6.0.x
 
-
       - name: Run './build.cmd Verify Cover Pack'
         run: ./build.cmd Verify Cover Pack --no-logo
+
+      - name: Collect NuGet for publish
+        uses: actions/upload-artifact@v7
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          path: 'artifacts'
+          name: 'nuget-packages'
+
+  publish:
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      id-token: write
+    environment: nuget-push
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v8
+        with:
+          name: nuget-packages
+
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: nugetLogin
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
+      - name: Push to NuGet
+        run: dotnet nuget push **/*.nupkg --api-key $NUGET_API_KEY --source https://api.nuget.org/v3/index.json
+        env:
+          NUGET_API_KEY: ${{ steps.nugetLogin.outputs.NUGET_API_KEY }}

.github/workflows/release.yml

@@ -18,21 +18,6 @@
 
 [ShutdownDotNetAfterServerBuild]
 [DotNetVerbosityMapping]
-[GitHubActions(
-    "continuous",
-    GitHubActionsImage.WindowsLatest,
-    AutoGenerate = false,
-    OnPullRequestBranches = new[] { MasterBranch, ReleaseBranch },
-    PublishArtifacts = false,
-    InvokedTargets = new[] { nameof(Verify), nameof(Cover), nameof(Pack) })]
-[GitHubActions(
-    "release",
-    GitHubActionsImage.WindowsLatest,
-    AutoGenerate = false,
-    OnPushTags = new[] { "v*" },
-    PublishArtifacts = true,
-    InvokedTargets = new[] { nameof(Verify), nameof(Cover), nameof(Publish) },
-    ImportSecrets = new[] { Secrets.NuGetApiKey })]
 partial class Build : NukeBuild
 {
     public static int Main() => Execute<Build>(x => x.Compile);
@@ -50,9 +35,6 @@ partial class Build : NukeBuild
 
     [Parameter("Forces the continuous integration build flag")] readonly bool CI;
 
-    [Secret] [Parameter("NuGet API Key (secret)", Name = Secrets.NuGetApiKey)] readonly string NuGetApiKey;
-    readonly string NuGetSource = "https://api.nuget.org/v3/index.json";
-
     IEnumerable<Project> Excluded => new[]
     {
         Solution.GetProject("_build"),
@@ -208,24 +190,4 @@ partial class Build : NukeBuild
                     .Add("/p:CheckEolTargetFramework=false"))
                 .CombineWith(FSharpLibraries, (s, p) => s.SetProject(p)));
         });
-
-    Target Publish => _ => _
-        .DependsOn(Pack)
-        .Consumes(Pack)
-        .Executes(() =>
-        {
-            DotNetNuGetPush(s => s
-                .EnableSkipDuplicate()
-                .When(
-                    GitHubActions.IsOnSemVerTag(),
-                    v => v
-                        .SetApiKey(NuGetApiKey)
-                        .SetSource(NuGetSource))
-                .CombineWith(Packages, (_, p) => _.SetTargetPath(p)));
-        });
-
-    public static class Secrets
-    {
-        public const string NuGetApiKey = "NUGET_API_KEY";
-    }
 }