Microsoft has announced that NuGet now supports Trusted Publishing for publishing packages from GitHub Actions.
Trusted Publishing is an authentication method that utilizes the OpenID Connect (OIDC) standard. Rather than using long-lived API tokens when publishing software packages, an OIDC identity token can be exchanged for a short-lived API token.
It has been adopted by a variety of other package managers, including PyPI and now npm following a series of recent supply chain attacks.
According to Microsoft, with Trusted Publishing, when the CI/CD system (in this case GitHub Actions) runs a workflow, a short-lived token is issued and sent to nuget.org. NuGet then verifies the token and returns a temporary API key that lasts one hour which the workflow can use to publish the package.
“This makes your publishing process safer by reducing the risk of leaked credentials. It also makes automation easier because you don’t need to rotate or store secrets. This approach is part of a broader industry shift toward secure, keyless publishing,” Microsoft wrote in a blog post.
To migrate from long-lived API keys to Trusted Publishing, developers will need to create a Trusted Publishing policy on nuget.org, remove any stored NuGet API keys from their repo or CI secrets, and add NuGet/login@v1 to their workflow and use the output key using dotnet nuget push.
The post NuGet adds support for Trusted Publishing appeared first on SD Times.
Source: Read MoreÂ
