[Repo Assist] Switch publish workflow to NuGet trusted publishing (OIDC)

[github-actions]

🤖 This is an automated pull request from Repo Assist, responding to /repo-assist please do this on issue #251.

Replaces the expired NUGET_ORG_TOKEN_2021 API key secret with keyless [NuGet trusted publishing]((learn.microsoft.com/redacted) via GitHub's OIDC.

Root cause

The NUGET_ORG_TOKEN_2021 secret (a static NuGet.org API key) expired in July 2022 per the comment in publish.yml. New packages can no longer be pushed from CI without updating the secret.

Changes

• Add id-token: write permission — required so the workflow can request an OIDC token from GitHub
• Add contents: write permission — required for the existing GitHub Pages deployment step (was implicitly available before; now must be explicit)
• Exchange OIDC token for a short-lived NuGet API key via actions/github-script@v7 calling https://www.nuget.org/api/v3/trustedpublishing/getapikey; the key is masked in logs and scoped to a single run
• Remove NUGET_ORG_TOKEN_2021 — no more long-lived secrets to rotate
• Bump actions/checkout v2 → v4

Required one-time setup on nuget.org

Before this workflow can successfully publish, the package owner must register the GitHub Actions trusted publisher on nuget.org:

1. Go to https://www.nuget.org/packages/FSharp.Control.AsyncSeq → Manage → Trusted Publishers
2. Click Add GitHub Actions publisher and fill in:

   Field	Value
   Owner	fsprojects
   Repository	FSharp.Control.AsyncSeq
   Workflow	publish.yml
   Environment	(leave blank)

That's it — no API keys to store or rotate.

Trade-offs

• The actions/github-script step adds a small JS fetch; this is the standard pattern until dotnet nuget push supports OIDC natively in the CLI
• If the NuGet.org trusted publisher is not configured, the OIDC exchange will fail with a clear error message (not a silent publish failure)

Test Status

This is a workflow-only change. The build/test/pack steps are unchanged; only the authentication mechanism for dotnet nuget push is updated. The new step cannot be integration-tested in a PR (it requires an actual push to main with the trusted publisher configured on nuget.org).

Closes #251

Generated by Repo Assist for issue #251

To install this workflow, run gh aw add githubnext/agentics/workflows/repo-assist.md@b87234850bf9664d198f28a02df0f937d0447295. View source at https://github.com/githubnext/agentics/tree/b87234850bf9664d198f28a02df0f937d0447295/workflows/repo-assist.md.

---

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent-artifacts artifact in the workflow run linked above.

To apply the patch locally:

# Download the artifact from the workflow run https://github.com/fsprojects/FSharp.Control.AsyncSeq/actions/runs/22371680169
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 22371680169 -n agent-artifacts -D /tmp/agent-artifacts-22371680169

# The patch file will be at agent-artifacts/tmp/gh-aw/aw-repo-assist-fix-issue-251-nuget-trusted-publishing.patch after download
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22371680169/aw-repo-assist-fix-issue-251-nuget-trusted-publishing.patch

Show patch preview (98 of 98 lines)

From a3f95cef7813c43fabbed316bb3526291da8b673 Mon Sep 17 00:00:00 2001
From: Repo Assist <repo-assist@github.com>
Date: Tue, 24 Feb 2026 21:56:58 +0000
Subject: [PATCH] Switch publish workflow to NuGet trusted publishing (OIDC)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the expired NUGET_ORG_TOKEN_2021 secret with keyless OIDC-based
trusted publishing supported by nuget.org since 2024.

Changes:
- Add id-token: write permission for OIDC token generation
- Add contents: write permission (needed for GitHub Pages step)
- Use actions/github-script to exchange GitHub OIDC token for a
  short-lived NuGet API key via nuget.org's trusted publishing endpoint
- Remove dependency on the expired NUGET_ORG_TOKEN_2021 secret
- Bump actions/checkout from v2 to v4

One-time setup required on nuget.org:
  Package → Manage → Trusted Publishers → Add GitHub Actions publisher
  with owner=fsprojects, repo=FSharp.Control.AsyncSeq, workflow=publish.yml

Closes #251

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/publish.yml | 38 ++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5bc667b..946bf55 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,8 +5,11 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # For GitHub Pages deployment
+      id-token: write   # For NuGet trusted publishing (OIDC)
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Setup .NET
       uses: actions/setup-dotnet@v4.3.1
       with:
@@ -19,15 +22,40 @@ jobs:
       run: dotnet pack -c Release
     - name: Build docs
       run: dotnet fsdocs build --properties Configuration=Release
-    - name: Deploy
+    - name: Deploy docs
       uses: peaceiris/actions-gh-pages@v3
       with:

... (truncated)