Skip to content

Add actions read permission to NuGet release job#470

Open
jfversluis wants to merge 2 commits into
mainfrom
jfversluis-add-actions-read-permission
Open

Add actions read permission to NuGet release job#470
jfversluis wants to merge 2 commits into
mainfrom
jfversluis-add-actions-read-permission

Conversation

@jfversluis

@jfversluis jfversluis commented Jul 16, 2026

Copy link
Copy Markdown
Member

Release blocker

Merging this PR is mandatory before the next release. Without this change, NuGet trusted publishing will fail at the NuGet/login step because no NUGET_USER environment secret will be present.

Summary

  • Add actions: read to the NuGet.org release job permissions alongside id-token: write and contents: read.
  • Use the literal public NuGet username jfversluis_MSFT for NuGet/login instead of a hidden secret.
  • OIDC still provides the short-lived API key through ${{ steps.login.outputs.NUGET_API_KEY }}; the username itself is public.
  • Align the Maui.Markup trusted-publishing job with the CommunityToolkit/Maui fix.
  • This is needed because actions/download-artifact requires actions: read when job permissions are explicitly restricted.
  • The NuGet.org trusted publishing configuration is already taken care of.

Validation

  • git diff --check
  • Text check confirmed the release job includes actions: read, id-token: write, and contents: read.
  • Text check confirmed NuGet/login uses user: jfversluis_MSFT and no longer references ${{ secrets.NUGET_USER }}.
  • Text check confirmed NuGet push still uses ${{ steps.login.outputs.NUGET_API_KEY }}.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 16, 2026 19:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adjusts the GitHub Actions workflow for the NuGet release pipeline by granting the release job explicit permission to read GitHub Actions resources, which is required when job-level permissions are locked down and actions/download-artifact is used.

Changes:

  • Added actions: read to the release job’s explicit permissions block in .github/workflows/dotnet-build.yml to support actions/download-artifact.
Show a summary per file
File Description
.github/workflows/dotnet-build.yml Adds actions: read permission to the NuGet release job to allow artifact download under restricted permissions.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

Copilot AI review requested due to automatic review settings July 16, 2026 20:07
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 1/1 changed files
  • Comments generated: 0 new
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants