Skip to content

ci: rehearse the NuGet OIDC login in the release dry run#88

Merged
Reefact merged 1 commit into
mainfrom
claude/ci-dryrun-oidc
Jul 10, 2026
Merged

ci: rehearse the NuGet OIDC login in the release dry run#88
Reefact merged 1 commit into
mainfrom
claude/ci-dryrun-oidc

Conversation

@Reefact

@Reefact Reefact commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

The manual dry run stopped after the provenance attestation and skipped the NuGet login (along with the push and GitHub Release), so a broken NuGet trusted-publishing setup was the one thing a dry run could not catch — it surfaced only during a real release. This un-gates the NuGet OIDC login so the dry run rehearses it.

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Analyzer / diagnostic change
  • Tests
  • Documentation
  • Build / CI / tooling

Changes

  • .github/workflows/release.yml: the NuGet login (OIDC) step loses its dry_run gate and now runs on every trigger. The OIDC token exchange validates the trusted-publishing policy, so a dry run fails red when the policy or the NUGET_USER secret is missing/misconfigured (design decision: a fatal signal, not a log line). It mints a short-lived, single-use key the dry run never spends; Push to NuGet and Publish GitHub Release stay gated on dry_run == false, so nothing is published. A tag push is unaffected (it already ran the login).
  • maintainers/ReleaseDryRun.en.md / .fr.md: the login moves from "skipped" to "runs in a dry run", with a new Impacts note that it mints an unused token and that a dry run now requires the trusted-publishing policy.

Testing

  • dotnet build FirstClassErrors.sln
  • dotnet test FirstClassErrors.sln
  • Analyzer tests pass (FirstClassErrors.Analyzers.UnitTests)

Not applicable: release.yml runs only on tags / workflow_dispatch, so no PR CI job exercises it. Verified structurally: YAML parses; the login step carries no if: (runs on all triggers) while Push and GitHub Release keep if: github.event_name == 'push' || inputs.dry_run == false. End-to-end proof is the next manual dry run (workflow_dispatch, dry_run ticked): it will now exercise the OIDC exchange and fail if trusted publishing is not configured.

Documentation

  • No library documentation change required (the updated maintainers/ doc is operational, kept separate from doc/).

🤖 Generated with Claude Code

https://claude.ai/code/session_01AbXi2ZEaUFeFWodNxdY6Zk


Generated by Claude Code

The manual dry run stopped after the provenance attestation and skipped the
NuGet login along with the push and the GitHub Release — so the one thing a
dry run could not catch was a broken NuGet trusted-publishing setup, which was
only ever discovered during a real release.

Un-gate the NuGet OIDC login so it runs on every trigger, including a dry run:
the OIDC token exchange is what validates the trusted-publishing policy, so a
dry run now fails red when the policy or the NUGET_USER secret is missing or
misconfigured (chosen deliberately — a fatal signal, not a log line). It mints
a short-lived, single-use key the dry run never spends; the push and the GitHub
Release stay gated on dry_run == false, so nothing is published. A tag push is
unaffected (it already ran the login).

Maintainers/ReleaseDryRun.{en,fr}.md updated: the login moves from the skipped
column to "runs in a dry run", and a new Impacts note explains it mints an
unused token and that a dry run requires the trusted-publishing policy.
@Reefact Reefact merged commit 653ad43 into main Jul 10, 2026
11 checks passed
Repository owner deleted a comment from chatgpt-codex-connector Bot Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants