![nuget]()
September 22, 2025
NuGet.org has rolled out Trusted Publishing, a new security feature that simplifies and safeguards the package publishing process directly from GitHub Actions. Instead of relying on long-lived API keys, publishers can now use short-lived GitHub OIDC tokens that are exchanged for temporary, single-use API keys valid for about an hour.
![trusted-publishing-short]()
Image Courtesy: Microsoft
This eliminates the need to store or rotate sensitive secrets in repositories or CI/CD pipelines.
Why It Matters
No long-lived secrets ? Nothing sensitive stored in your repo.
Short-lived credentials ? API keys are issued just-in-time and expire quickly.
One token = one key ? Each GitHub Actions job gets its own unique, temporary key.
Getting Started
Sign in to nuget.org, open your user menu, and select Trusted Publishing.
Create a policy:
Choose a package owner (you or your org).
Link it to a GitHub repository and workflow file (e.g., release.yml).
Optionally, bind it to a GitHub Actions environment.
Update your GitHub Actions workflow with the Trusted Publishing login step.
From there, GitHub issues an OIDC token during workflow execution, NuGet.org validates it against your policy, and returns a temporary key that’s used immediately with dotnet nuget push.
Try It Today
Developers can enable Trusted Publishing now and say goodbye to secret sprawl.
?? Docs: aka.ms/nuget/trusted-publishing