Skip to content

Update NuGet deps to latest stable; switch release to trusted publishing#14

Merged
StuartMeeks merged 1 commit into
mainfrom
update-deps-trusted-publishing
Jun 10, 2026
Merged

Update NuGet deps to latest stable; switch release to trusted publishing#14
StuartMeeks merged 1 commit into
mainfrom
update-deps-trusted-publishing

Conversation

@StuartMeeks

@StuartMeeks StuartMeeks commented Jun 10, 2026

Copy link
Copy Markdown
Owner

Summary

Two changes requested for this session:

1. NuGet package updates (latest non-prerelease)

Package Old New
Microsoft.Extensions.DependencyInjection.Abstractions 10.0.8 10.0.9
Microsoft.Extensions.Http 10.0.8 10.0.9
Spectre.Console 0.55.2 0.56.0
Spectre.Console.Testing 0.55.2 0.56.0

Already at latest stable (newer versions are prerelease-only, so left as-is): Spectre.Console.Cli 0.55.0, Microsoft.SourceLink.GitHub 10.0.300, Microsoft.NET.Test.Sdk 18.6.0, xunit 2.9.3, xunit.runner.visualstudio 3.1.5, coverlet.collector 10.0.1.

Build is clean (0 warnings, TreatWarningsAsErrors on) and all 196 tests pass locally.

2. NuGet Trusted Publishing

The release workflow no longer uses a long-lived NUGET_API_KEY secret. The publish job now adds id-token: write and uses NuGet/login@v1 to exchange the GitHub OIDC token for a short-lived (1 hour) API key just before dotnet nuget push.

Required before this can publish ⚠️

  1. Configure a Trusted Publishing policy on nuget.org (your username → Trusted Publishing):
    • Repository Owner: StuartMeeks
    • Repository: NextIteration.SpectreConsole.SelfUpdate
    • Workflow File: release.yml (filename only)
    • Environment: leave blank (workflow doesn't use one)
  2. Add a NUGET_USER repo secret = your nuget.org profile name (not your email).
  3. After the first successful publish, the old NUGET_API_KEY secret can be deleted.

Note: for the first publish on a private repo the policy may be "pending full activation" for 7 days until a successful publish locks in the repo/owner IDs. This repo is public, so it should activate immediately.

🤖 Generated with Claude Code

@StuartMeeks @claude
Update NuGet deps to latest stable; switch release to trusted publishing
54f0706 
Package updates (latest non-prerelease):
- Microsoft.Extensions.DependencyInjection.Abstractions 10.0.8 -> 10.0.9
- Microsoft.Extensions.Http 10.0.8 -> 10.0.9
- Spectre.Console 0.55.2 -> 0.56.0
- Spectre.Console.Testing 0.55.2 -> 0.56.0

Left unchanged (already at latest stable; newer releases are prerelease only):
Spectre.Console.Cli 0.55.0, Microsoft.SourceLink.GitHub 10.0.300,
Microsoft.NET.Test.Sdk 18.6.0, xunit 2.9.3, xunit.runner.visualstudio 3.1.5,
coverlet.collector 10.0.1.

Release workflow now uses NuGet Trusted Publishing: the publish job requests a
short-lived API key via NuGet/login@v1 (OIDC) instead of a long-lived
NUGET_API_KEY secret. Adds id-token: write permission.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@StuartMeeks StuartMeeks merged commit 177eab8 into main Jun 10, 2026
4 checks passed
@StuartMeeks StuartMeeks deleted the update-deps-trusted-publishing branch June 10, 2026 02:41
@StuartMeeks StuartMeeks mentioned this pull request Jun 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@StuartMeeks