Skip to content

feat(actions): add nuget trusted publishing#2299

Merged
alexeyzimarev merged 1 commit intorestsharp:devfrom
micheloliveira-com:feature/nuget-trusted-publishing
Nov 10, 2025
Merged

feat(actions): add nuget trusted publishing#2299
alexeyzimarev merged 1 commit intorestsharp:devfrom
micheloliveira-com:feature/nuget-trusted-publishing

Conversation

@micheloliveira-com
Copy link
Contributor

@micheloliveira-com micheloliveira-com commented Sep 27, 2025

Description

Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

  • Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner (
    Ubiquitous in this case).
  • The old secrets.NUGET_API_KEY secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

  1. Sign in to NuGet.org.
  2. Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
  3. Create a policy:
    • Package owner: you or your organization (e.g. Ubiquitous).
    • Repository owner: your GitHub org/user (e.g. restsharp).
    • Repository name: repository name (e.g. RestSharp).
    • Workflow file: the YAML file under .github/workflows/ (e.g. build-dev.yml).
    • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.

Purpose

This pull request is a:

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@alexeyzimarev alexeyzimarev merged commit e1f4707 into restsharp:dev Nov 10, 2025
1 check passed
@qodo-free-for-open-source-projects
Copy link
Contributor

qodo-free-for-open-source-projects bot commented Nov 10, 2025

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
Unvalidated secret usage

Description: The secrets.NUGET_USER is passed directly to the NuGet login action without validation,
potentially allowing unauthorized package publishing if the secret is compromised or
misconfigured.
build-dev.yml [44-44]

Referred Code 
user: ${{ secrets.NUGET_USER }}
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

This was referenced Nov 28, 2025
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Closed
Merged
Merged
Closed
Merged
Merged
Closed
Closed
Closed
Merged
Closed
Merged
Closed
Merged
This was referenced Dec 16, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Jan 7, 2026
Closed
Merged
Open
Closed
Open
Closed
This was referenced Jan 18, 2026
Merged
Closed
Open
Open
This was referenced Feb 1, 2026
Merged
Closed
This was referenced Feb 9, 2026
Open
Closed
Closed
Closed
Merged
@dependabot dependabot bot mentioned this pull request Feb 17, 2026
Merged
This was referenced Mar 6, 2026
Closed
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review effort 2/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@micheloliveira-com @alexeyzimarev