{"id":2515,"date":"2025-09-22T16:29:53","date_gmt":"2025-09-22T16:29:53","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/09\/22\/new-trusted-publishing-enhances-security-on-nuget-org\/"},"modified":"2025-09-22T16:29:53","modified_gmt":"2025-09-22T16:29:53","slug":"new-trusted-publishing-enhances-security-on-nuget-org","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/09\/22\/new-trusted-publishing-enhances-security-on-nuget-org\/","title":{"rendered":"New Trusted Publishing enhances security on NuGet.org"},"content":{"rendered":"

We\u2019re excited to announce Trusted Publishing on nuget.org \u2014 a simpler, safer way to publish NuGet packages from GitHub Actions. Rather than relying on long\u2011lived API keys, your workflow can use a short\u2011lived GitHub OIDC token to request a temporary, single\u2011use NuGet API key. These keys expire quickly (\u2248 1 hour), eliminating long\u2011lived secrets that need to be stored, rotated, or protected from leaks.<\/p>\n

Read the docs at aka.ms\/nuget\/trusted-publishing<\/a><\/p>\n

<\/a><\/p>\n

Why Trusted Publishing? <\/h2>\n

No long\u2011lived secrets \u2014 nothing sensitive stored in your repository or CI.
\nShort\u2011lived credentials \u2014 temporary API keys are issued just\u2011in\u2011time and typically last about 1 hour<\/strong>.
\nOne token \u2192 one key \u2014 each job\u2019s OIDC token maps to a single temporary API key used for that publish.<\/p>\n

Getting started <\/h2>\n

Open the Trusted Publishing page<\/strong>
\nSign in to nuget.org<\/strong> \u2192 open your user menu (top right) \u2192 Trusted Publishing<\/strong> (next to API Keys<\/strong>).
\nCreate a policy<\/strong><\/p>\n

Package owner:<\/strong> you or your organization
\nRepository owner \/ repository:<\/strong> your GitHub org\/user and repository name (for example contoso-sdk)
\nWorkflow file:<\/strong> the YAML file in .github\/workflows\/ (for example release.yml)
\n(Optional)<\/em> Environment:<\/strong> if your workflow uses GitHub Actions environments<\/p>\n

Wire up your GitHub Actions workflow<\/strong> using the minimal example below.<\/p>\n

Minimal GitHub Actions example <\/h2>\n

This example includes only the steps that interact with nuget.org: enabling OIDC, exchanging the token for a temporary API key, and pushing the package.<\/p>\n

permissions:
\n id-token: write # required for GitHub OIDC<\/p>\n

jobs:
\n build-and-publish:
\n permissions:
\n id-token: write # enable GitHub OIDC token issuance for this job<\/p>\n

steps:
\n # Build your artifacts\/my-sdk.nupkg package here<\/p>\n

# Get a short-lived NuGet API key
\n – name: NuGet login (OIDC \u2192 temp API key)
\n uses: NuGet\/login@v1
\n id: login
\n with:
\n # Recommended: use a secret like ${{ secrets.NUGET_USER }} for your nuget.org username (profile name), NOT your email address
\n user: contoso-bot<\/p>\n

# Push the package
\n run: dotnet nuget push artifacts\/my-sdk.nupkg –api-key ${{ steps.login.outputs.NUGET_API_KEY }} –source https:\/\/api.nuget.org\/v3\/index.json<\/p>\n

How it works <\/h2>\n

GitHub issues an OIDC token to the job.
\nThe NuGet login step sends that token to nuget.org.
\nnuget.org validates the token against your Trusted Publishing policy and returns a temporary API key.
\nYour workflow uses that key to publish. Request the key immediately before running dotnet nuget push \u2014 it expires quickly (\u2248 1 hour<\/strong>).<\/p>\n

Policy ownership & lifecycle <\/h2>\n

Private repo bootstrap (7 days, re-activate anytime).<\/strong> New policies for private repositories start out as active for 7 days by default. After the first successful NuGet login (the exchange of a job\u2019s OIDC token for a temporary API key), the policy becomes permanently active and is bound to immutable GitHub IDs. If you miss the initial 7\u2011day window, you can manually re\u2011activate the policy for another 7 days from the Trusted Publishing page. A successful NuGet login is sufficient \u2014 you don\u2019t need to publish a package.
\nOwner matters.<\/strong> A policy is owned by a user or organization and applies only to packages owned by that owner.
\nOrg changes are respected.<\/strong> If the policy creator loses org membership, or the org is locked or deleted, the policy is disabled and displays a clear warning. When membership or org access is restored, the policy re\u2011activates automatically.<\/p>\n

Migrating from long\u2011lived API keys <\/h2>\n

Already publishing from GitHub Actions? Switching is easy:<\/p>\n

Create a Trusted Publishing policy on nuget.org.
\nRemove stored NuGet API keys from your repo or CI secrets.
\nAdd NuGet\/login@v1 to your workflow and use its output key with dotnet nuget push.
\nDone \u2014 enjoy, no more key management!<\/p>\n

Try it today <\/h2>\n

Read the docs at aka.ms\/nuget\/trusted-publishing<\/a>
\nSign in to nuget.org \u2192 Trusted Publishing<\/strong> (next to API Keys<\/strong>) and create your first policy.<\/p>\n

Huge thanks to OpenSSF<\/a> and the Securing Software Repos working group<\/a> for defining the Trusted Publishing guidelines and encouraging their adoption throughout the broader ecosystem.<\/span><\/p>\n

Publish more securely and with less friction \u2014 thank you for contributing to the NuGet community. <\/p>\n

The post New Trusted Publishing enhances security on NuGet.org<\/a> appeared first on .NET Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

We\u2019re excited to announce Trusted Publishing on nuget.org \u2014 a simpler, safer way to publish NuGet packages from GitHub Actions. […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[7],"tags":[],"class_list":["post-2515","post","type-post","status-publish","format-standard","hentry","category-dotnet"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2515"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2515\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}