Microsoft has introduced that NuGet now helps Trusted Publishing for publishing packages from GitHub Actions.
Trusted Publishing is an authentication technique that makes use of the OpenID Join (OIDC) normal. Somewhat than utilizing long-lived API tokens when publishing software program packages, an OIDC identification token may be exchanged for a short-lived API token.
It has been adopted by a wide range of different package deal managers, together with PyPI and now npm following a sequence of latest provide chain assaults.
Based on Microsoft, with Trusted Publishing, when the CI/CD system (on this case GitHub Actions) runs a workflow, a short-lived token is issued and despatched to nuget.org. NuGet then verifies the token and returns a short lived API key that lasts one hour which the workflow can use to publish the package deal.
“This makes your publishing course of safer by lowering the chance of leaked credentials. It additionally makes automation simpler since you don’t must rotate or retailer secrets and techniques. This strategy is a part of a broader trade shift towards safe, keyless publishing,” Microsoft wrote in a weblog put up.
Emigrate from long-lived API keys to Trusted Publishing, builders might want to create a Trusted Publishing coverage on nuget.org, take away any saved NuGet API keys from their repo or CI secrets and techniques, and add NuGet/login@v1 to their workflow and use the output key utilizing dotnet nuget push.