As a .NET developer working with CI/CD and GitHub Actions, I’ve always been concerned about one thing: long-lived NuGet API keys. Storing them in secrets, rotating them, and protecting them from leaks has always been a weak point in the supply chain.
That changes today.
Microsoft has officially introduced Trusted Publishing on NuGet.org — a modern, secure way to publish NuGet packages using short-lived credentials powered by GitHub OIDC.
Official announcement: Enhanced Security Is Here with Trusted Publishing
Table of Contents
- Why Trusted Publishing?
- Getting Started
- Minimal GitHub Actions Example
- How It Works
- Policy Ownership & Lifecycle
- Migrating from Long-Lived API Keys
- Try It Today
Why Trusted Publishing?
Trusted Publishing eliminates one of the biggest security risks in modern DevOps: permanent secrets living in CI pipelines.
- *No long-lived secrets stored in repositories or CI
- * Short-lived API keys (≈ 1 hour)
- * One token → one key (single-use per job)
- * OIDC-based identity validation
This aligns perfectly with Zero Trust and OpenSSF supply-chain security recommendations.
Getting Started with Trusted Publishing
- Sign in to nuget.org
- Open your profile menu (top-right)
- Click Trusted Publishing (next to API Keys)
- Create a new policy with:
- Package owner (you or your org)
- GitHub repository (org/user + repo)
- Workflow file (e.g.
release.yml) - (Optional) GitHub Actions environment
Official documentation: Trusted Publishing on Microsoft Learn
Minimal GitHub Actions Example
Below is the minimum required configuration to publish securely using Trusted Publishing.
permissions:
id-token: write # Required for GitHub OIDC
jobs:
build-and-publish:
permissions:
id-token: write
steps:
# Build your .nupkg here
- name: NuGet login (OIDC → temp API key)
uses: NuGet/login@v1
id: login
with:
user: contoso-bot
- name: Publish package
run: dotnet nuget push artifacts/my-sdk.nupkg \
--api-key ${{ steps.login.outputs.NUGET_API_KEY }} \
--source https://api.nuget.org/v3/index.json
The key is generated just-in-time and expires automatically.
How Trusted Publishing Works
- GitHub issues an OIDC token to your workflow job
NuGet/login@v1sends it to nuget.org- nuget.org validates it against your policy
- A temporary API key is issued
- The package is published securely
The API key typically expires within 1 hour.
Policy Ownership & Lifecycle
- Private repo bootstrap: 7-day activation window
- Permanent activation: After first successful OIDC login
- Immutable GitHub IDs: Prevent repo spoofing
- Org safety: Policies auto-disable if org access changes
This ensures that only verified repositories can publish packages.
Migrating from Long-Lived API Keys
If you’re already publishing from GitHub Actions, migration is extremely easy:
- Create a Trusted Publishing policy
- Delete existing NuGet API keys from secrets
- Add
NuGet/login@v1to your workflow - Publish securely
No more secret rotation. No more leaks.
Try It Today
- Docs: aka.ms/nuget/trusted-publishing
- NuGet.org → Trusted Publishing
Huge credit to OpenSSF and the Securing Software Repos working group for pushing the ecosystem forward.
Publish more securely. Ship with confidence.
If you found this useful, follow my blog for more .NET, Cloud, DevOps & Security deep dives.