Add Trusted Publishing doc #3442
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
Adds documentation for the new Trusted Publishing feature on NuGet.org and updates the overview page to reference it.
- Introduce a dedicated conceptual doc explaining the Trusted Publishing workflow with GitHub Actions
- Link the new Trusted Publishing doc from the nuget.org overview page
- Provide a sample GitHub Actions YAML snippet for how to obtain and use a short-lived API key
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docs/nuget-org/trusted-publishing.md | New conceptual documentation for Trusted Publishing |
| docs/nuget-org/overview-nuget-org.md | Added “Trusted Publishing” section and link to doc |
Comments suppressed due to low confidence (3)
docs/nuget-org/trusted-publishing.md:10
- Use consistent NuGet branding: capitalize 'NuGet.org' instead of 'nuget.org' in the header.
# Trusted Publishing on nuget.org
docs/nuget-org/trusted-publishing.md:46
- Remove the TODO placeholder or replace it with concrete instructions for producing the package artifact.
# TODO: steps to produce artifacts/my-sdk.nupkg
docs/nuget-org/overview-nuget-org.md:36
- Use title case for the section header: '## Trusted Publishing' to match branding and other headings.
## Trusted publishing
|
Learn Build status updates of commit 2d88d79: ✅ Validation status: passed
For more details, please refer to the build report. |
|
We should hold off on merging this until we're very ready for it to go live. For example, the feature is available for everyone without the feature flag |
chabiss
previously approved these changes
Jul 2, 2025
|
Learn Build status updates of commit 9aef78f: ✅ Validation status: passed
For more details, please refer to the build report. |
Trusted Publishing UI has "learn more" links pointing to this doc. Thus it needs to go live before onboarding first users. |
|
Learn Build status updates of commit 4c44c87: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit 98587b5: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit 5c85715: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit 94dc80e: ✅ Validation status: passed
For more details, please refer to the build report. |
seaniyer
reviewed
Jul 29, 2025
seaniyer
reviewed
Jul 29, 2025
docs/nuget-org/trusted-publishing.md
Outdated
Comment on lines
86
to
94
| Sometimes when you create a Trusted Publishing policy, we can’t get the GitHub repository and owner IDs right away. | ||
| This usually happens with private repos. Once these IDs are available—typically after a successful publish—the policy | ||
| becomes **active indefinitely**. | ||
|
|
||
| Why does that matter? Because we use those IDs to lock the policy to the original repo and owner. That helps prevent resurrection attacks. Without the IDs, someone could delete a repo, recreate it with the same name, and try to publish as if nothing changed. | ||
|
|
||
| If we don’t have the IDs, the policy starts out as **active for 7 days**. You’ll see this in the UI. It works like a regular policy, but it will automatically become **inactive** after **7 days** unless a publish occurs. | ||
|
|
||
| If no publish happens in time, the policy becomes **inactive**. You can reset the 7-day timer at any point, even if the policy has already become inactive after the initial window expired. |
There was a problem hiding this comment.
Suggested change
| Sometimes when you create a Trusted Publishing policy, we can’t get the GitHub repository and owner IDs right away. | |
| This usually happens with private repos. Once these IDs are available—typically after a successful publish—the policy | |
| becomes **active indefinitely**. | |
| Why does that matter? Because we use those IDs to lock the policy to the original repo and owner. That helps prevent resurrection attacks. Without the IDs, someone could delete a repo, recreate it with the same name, and try to publish as if nothing changed. | |
| If we don’t have the IDs, the policy starts out as **active for 7 days**. You’ll see this in the UI. It works like a regular policy, but it will automatically become **inactive** after **7 days** unless a publish occurs. | |
| If no publish happens in time, the policy becomes **inactive**. You can reset the 7-day timer at any point, even if the policy has already become inactive after the initial window expired. | |
| When you create a Trusted Publishing policy, sometimes it starts out as temporarily active for 7 days. You’ll see this status in the UI. During this time, it behaves like a regular policy. But if no publish happens within those 7 days, the policy automatically becomes inactive. You can restart the 7-day window at any time—even after it expires. | |
| Why is this temporary period necessary? Because for newly created policies it may take NuGet can’tsometime to get the GitHub repository and owner IDs, especially for private repos. These IDs are critical—they lock the policy to the original repo and owner, which helps prevent resurrection attacks. Without them, someone could delete a repo, recreate it with the same name, and try to publish as if nothing changed. | |
| Once a successful publish provides those IDs, the policy becomes permanently active. |
|
Learn Build status updates of commit 4242d16: ✅ Validation status: passed
For more details, please refer to the build report. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding doc for Trusted Publishing feature