Microsoft has introduced that NuGet now helps Trusted Publishing for publishing packages from GitHub Actions.
Trusted Publishing is an authentication methodology that makes use of the OpenID Join (OIDC) normal. Reasonably than utilizing long-lived API tokens when publishing software program packages, an OIDC identification token will be exchanged for a short-lived API token.
It has been adopted by a wide range of different bundle managers, together with PyPI and now npm following a collection of latest provide chain assaults.
In line with Microsoft, with Trusted Publishing, when the CI/CD system (on this case GitHub Actions) runs a workflow, a short-lived token is issued and despatched to nuget.org. NuGet then verifies the token and returns a brief API key that lasts one hour which the workflow can use to publish the bundle.
“This makes your publishing course of safer by lowering the chance of leaked credentials. It additionally makes automation simpler since you don’t must rotate or retailer secrets and techniques. This method is a part of a broader trade shift towards safe, keyless publishing,” Microsoft wrote in a weblog publish.
Emigrate from long-lived API keys to Trusted Publishing, builders might want to create a Trusted Publishing coverage on nuget.org, take away any saved NuGet API keys from their repo or CI secrets and techniques, and add NuGet/login@v1 to their workflow and use the output key utilizing dotnet nuget push.
