Skip to content

Update nuget.org publishing to use trusted publishing#8209

Merged
andrewlock merged 5 commits intomasterfrom
andrew/trusted-publishing
Feb 20, 2026
Merged

Update nuget.org publishing to use trusted publishing#8209
andrewlock merged 5 commits intomasterfrom
andrew/trusted-publishing

Conversation

@andrewlock
Copy link
Member

@andrewlock andrewlock commented Feb 17, 2026

Summary of changes

Updates dd-trace-dotnet to publish NuGet packages using trusted publishing

Reason for change

From the documentation:

Trusted Publishing is a better way to publish NuGet packages. You don’t need to manage long-lived API keys anymore. Instead, you use short-lived credentials issued by your CI/CD system, like GitHub Actions.

This makes your publishing process safer by reducing the risk of leaked credentials. It also makes automation easier because you don’t need to rotate or store secrets. This approach is part of a broader industry shift toward secure, keyless publishing. If you're curious, check out the OpenSSF initiative: https://repos.openssf.org/trusted-publishers-for-all-package-repositories.

Implementation details

Followed the steps in the documentation (and this excellent blog post - recommend reading that for a brief summary 😉). Having used this personally, I found it "just works" but there are some caveats to using it for orgs.

Firstly, the trust policy is tied to a single account (i.e. mine), though it applies to datadog-owned packages. If I get removed from the org, someone else would need to set up a trust policy. The details I used to create the policy are shown below:

image

The trust policy is tied to my account via the NUGET_TRUSTED_PUBLISHING_USERNAME github secret. If we need to change to a different trust policy provided by a different nuget user, we should just need to update that secret to point to the new user.

Additionally, I left the legacy create_draft_release.yml workflow untouched (as opposed to the new create_normal_draft_release and create_hotfix_draft_release workflows which use the _create_draft_release workflow), so that we have a fallback that keeps using the NUGET_API_KEY approach, in case this doesn't work on the next release for some reason!

Test coverage

This is all just YOLO, we can't really test it very easily. That said, the current release tries to do a "noop" push to nuget.org of an existing package, to confirm permissions are set correctly, and that is still in place.

WE could theoretically test this, by heavily cutting out all the actual release bits out of _create_draft_release.yml and trying to trigger a release, but that's frankly too risky for my liking. Given we still have the fallback release path at the moment, that's good enough for me

@andrewlock andrewlock requested a review from a team as a code owner February 17, 2026 09:55
@andrewlock andrewlock added the area:builds project files, build scripts, pipelines, versioning, releases, packages label Feb 17, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 17, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: df7ae4d58b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

andrewlock
andrewlock commented Feb 17, 2026
View reviewed changes
andrewlock
andrewlock commented Feb 17, 2026
View reviewed changes
@pr-commenter
Copy link

pr-commenter bot commented Feb 17, 2026
edited
Loading

Benchmarks

Benchmark execution time: 2026-02-18 09:59:18

Comparing candidate commit 8b3cd12 in PR branch andrew/trusted-publishing with baseline commit bbb12d2 in branch master.

Found 13 performance improvements and 7 performance regressions! Performance is the same for 155 metrics, 17 unstable metrics.

scenario:Benchmarks.Trace.ActivityBenchmark.StartStopWithChild net472

  • 🟩 throughput [+7635.714op/s; +8037.913op/s] or [+9.786%; +10.301%]

scenario:Benchmarks.Trace.AgentWriterBenchmark.WriteAndFlushEnrichedTraces net472

  • 🟥 execution_time [+19.948ms; +20.656ms] or [+9.825%; +10.173%]

scenario:Benchmarks.Trace.AgentWriterBenchmark.WriteAndFlushEnrichedTraces net6.0

  • 🟥 execution_time [+100.791ms; +100.928ms] or [+99.130%; +99.264%]

scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorMoreComplexBody netcoreapp3.1

  • 🟥 execution_time [+10.899ms; +16.075ms] or [+5.569%; +8.214%]

scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorSimpleBody netcoreapp3.1

  • 🟥 execution_time [+11.459ms; +17.000ms] or [+5.745%; +8.523%]

scenario:Benchmarks.Trace.Asm.AppSecEncoderBenchmark.EncodeLegacyArgs netcoreapp3.1

  • 🟩 execution_time [-22.190ms; -21.276ms] or [-10.968%; -10.516%]

scenario:Benchmarks.Trace.AspNetCoreBenchmark.SendRequest net6.0

  • 🟩 execution_time [-100.438ms; -98.696ms] or [-51.587%; -50.693%]

scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces net6.0

  • 🟩 execution_time [-11.943ms; -9.204ms] or [-6.823%; -5.259%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OptimizedCharSlice net472

  • 🟩 throughput [+24.618op/s; +25.715op/s] or [+5.047%; +5.272%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OptimizedCharSlice net6.0

  • 🟩 execution_time [-102.449µs; -92.151µs] or [-6.895%; -6.202%]
  • 🟩 throughput [+44.718op/s; +49.564op/s] or [+6.645%; +7.365%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OptimizedCharSlice netcoreapp3.1

  • 🟥 throughput [-190.900op/s; -139.031op/s] or [-36.538%; -26.610%]

scenario:Benchmarks.Trace.CharSliceBenchmark.OriginalCharSlice net6.0

  • 🟩 execution_time [-190.705µs; -180.962µs] or [-9.007%; -8.547%]
  • 🟩 throughput [+44.232op/s; +46.653op/s] or [+9.365%; +9.878%]

scenario:Benchmarks.Trace.ElasticsearchBenchmark.CallElasticsearchAsync netcoreapp3.1

  • 🟩 throughput [+20126.902op/s; +30872.675op/s] or [+5.068%; +7.774%]

scenario:Benchmarks.Trace.ILoggerBenchmark.EnrichedLog net6.0

  • 🟥 execution_time [+15.816ms; +21.256ms] or [+7.983%; +10.729%]

scenario:Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatAspectBenchmark netcoreapp3.1

  • 🟥 throughput [-459.484op/s; -257.349op/s] or [-21.084%; -11.809%]

scenario:Benchmarks.Trace.SingleSpanAspNetCoreBenchmark.SingleSpanAspNetCore netcoreapp3.1

  • 🟩 throughput [+14462489.628op/s; +15376616.172op/s] or [+6.409%; +6.814%]

scenario:Benchmarks.Trace.TraceAnnotationsBenchmark.RunOnMethodBegin net6.0

  • 🟩 execution_time [-16.302ms; -10.778ms] or [-7.667%; -5.069%]
  • 🟩 throughput [+47003.900op/s; +74315.812op/s] or [+5.104%; +8.070%]

@lucaspimentel lucaspimentel changed the title Update nuget.org publshing to use trusted publishing Update nuget.org publishing to use trusted publishing Feb 17, 2026
@andrewlock andrewlock requested a review from Copilot February 18, 2026 09:01
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the dd-trace-dotnet GitHub release workflows to publish packages to nuget.org using NuGet “trusted publishing” (OIDC-based short-lived credentials) instead of a long-lived API key secret.

Changes:

  • Grant id-token: write in the release workflows to allow OIDC token issuance.
  • Replace NUGET_API_KEY secret usage with NuGet/login + NUGET_TRUSTED_PUBLISHING_USERNAME.
  • Use the temporary NuGet API key output from NuGet/login for dotnet nuget push.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/create_normal_draft_release.yml Adds OIDC permissions and switches secret passed to the reusable release workflow.
.github/workflows/create_hotfix_draft_release.yml Adds OIDC permissions and switches secret passed to the reusable release workflow.
.github/workflows/_create_draft_release.yml Implements trusted publishing via NuGet/login and uses its temporary API key for NuGet pushes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

andrewlock
andrewlock commented Feb 18, 2026
View reviewed changes
andrewlock
andrewlock commented Feb 18, 2026
View reviewed changes
NachoEchevarria
NachoEchevarria approved these changes Feb 20, 2026
View reviewed changes
Copy link
Collaborator

@NachoEchevarria NachoEchevarria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@andrewlock andrewlock merged commit a84e185 into master Feb 20, 2026
98 of 101 checks passed
@andrewlock andrewlock deleted the andrew/trusted-publishing branch February 20, 2026 16:12
@github-actions github-actions bot added this to the vNext-v3 milestone Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@lucaspimentel lucaspimentel lucaspimentel approved these changes

@NachoEchevarria NachoEchevarria NachoEchevarria approved these changes

Assignees

No one assigned

Labels

area:builds project files, build scripts, pipelines, versioning, releases, packages

Projects

None yet

Milestone

3.38.0

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewlock @lucaspimentel @NachoEchevarria