From a09a450b0fad61c3f5c7383fc65c5b6d1266894a Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:12:26 +0900 Subject: [PATCH 1/6] ci: use OIDC for NuGet package push authentication This updates the build-release workflow to leverage OpenID Connect (OIDC) for authenticating with NuGet.org. The package push operation is now performed directly within the build job, replacing static API key usage with ephemeral credentials for enhanced security. --- .github/workflows/build-release.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 94d8d7e..4851769 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -45,6 +45,16 @@ jobs: name: nuget path: ./publish/ retention-days: 1 + # push nuget + - name: NuGet login (OIDC) + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] @@ -107,7 +117,7 @@ jobs: commit-id: ${{ needs.update-packagejson.outputs.sha }} dry-run: ${{ inputs.dry-run }} tag: ${{ inputs.tag }} - nuget-push: true + nuget-push: false release-upload: true release-asset-path: ./UniTask.${{ inputs.tag }}.unitypackage/UniTask.${{ inputs.tag }}.unitypackage secrets: inherit From 19b01fe8d6ec831eedabc3706582f70b6eeeb7b6 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 16:48:40 +0900 Subject: [PATCH 2/6] ci: id-token permission --- .github/workflows/build-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 4851769..cab7087 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -27,6 +27,7 @@ jobs: needs: [update-packagejson] permissions: contents: read + id-token: write # required for NuGet Trusted Publish runs-on: ubuntu-24.04 timeout-minutes: 10 steps: From a18e8e38daeb9f9d57bfccb1172153f5133e1092 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:06:57 +0900 Subject: [PATCH 3/6] ci: handle SymbolPackageFormat on build --- .github/workflows/build-debug.yaml | 2 +- .github/workflows/build-release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index 0422c13..93d934a 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -19,7 +19,7 @@ jobs: - uses: Cysharp/Actions/.github/actions/setup-dotnet@main - run: dotnet build -c Release - run: dotnet test -c Release - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -o $GITHUB_WORKSPACE/artifacts + - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o $GITHUB_WORKSPACE/artifacts build-unity: if: ${{ ((github.event_name == 'push' && github.repository_owner == 'Cysharp') || startsWith(github.event.pull_request.head.label, 'Cysharp:')) && github.triggering_actor != 'dependabot[bot]' }} diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index cab7087..a3064fe 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -39,7 +39,7 @@ jobs: # build and pack - run: dotnet build -c Release -p:Version=${{ inputs.tag }} - run: dotnet test -c Release --no-build - - run: dotnet pack ./src/UniTask.NetCore/UniTask.NetCore.csproj -c Release --no-build -p:Version=${{ inputs.tag }} -o ./publish + - run: dotnet pack ./src/UniTask.NetCore/UniTask.NetCore.csproj -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: From 37251f09d49c57a8c56c1df398e05d7ed82b1d22 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:22:01 +0900 Subject: [PATCH 4/6] ci: publish symbol files --- .github/workflows/build-release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index a3064fe..37b9680 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -56,6 +56,10 @@ jobs: if: ${{ !inputs.dry-run }} env: NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} + - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] From 4cfac5c9d265df5fc575727d617890ee05b1d95d Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 18:59:38 +0900 Subject: [PATCH 5/6] ci: fix symbol generation options 61d8d3 --- .github/workflows/build-debug.yaml | 2 +- .github/workflows/build-release.yaml | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index 93d934a..0422c13 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -19,7 +19,7 @@ jobs: - uses: Cysharp/Actions/.github/actions/setup-dotnet@main - run: dotnet build -c Release - run: dotnet test -c Release - - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o $GITHUB_WORKSPACE/artifacts + - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -o $GITHUB_WORKSPACE/artifacts build-unity: if: ${{ ((github.event_name == 'push' && github.repository_owner == 'Cysharp') || startsWith(github.event.pull_request.head.label, 'Cysharp:')) && github.triggering_actor != 'dependabot[bot]' }} diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 37b9680..4a226e7 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -36,10 +36,10 @@ jobs: with: ref: ${{ needs.update-packagejson.outputs.sha }} - uses: Cysharp/Actions/.github/actions/setup-dotnet@main - # build and pack + # build and pack nuget (.nupkg and .symbols.nupkg will be created) - run: dotnet build -c Release -p:Version=${{ inputs.tag }} - run: dotnet test -c Release --no-build - - run: dotnet pack ./src/UniTask.NetCore/UniTask.NetCore.csproj -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish + - run: dotnet pack ./src/UniTask.NetCore/UniTask.NetCore.csproj -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -o ./publish # Store artifacts. - uses: Cysharp/Actions/.github/actions/upload-artifact@main with: @@ -56,10 +56,6 @@ jobs: if: ${{ !inputs.dry-run }} env: NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} - - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" - if: ${{ !inputs.dry-run }} - env: - NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] From b0d26bebea48a861a1449cdf169a90e1e80d1ef3 Mon Sep 17 00:00:00 2001 From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com> Date: Wed, 20 May 2026 19:38:57 +0900 Subject: [PATCH 6/6] ci: add dedicated publish job gated on build and build-unity --- .github/workflows/build-release.yaml | 38 ++++++++++++++++++---------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 4a226e7..74b6995 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -27,7 +27,6 @@ jobs: needs: [update-packagejson] permissions: contents: read - id-token: write # required for NuGet Trusted Publish runs-on: ubuntu-24.04 timeout-minutes: 10 steps: @@ -46,16 +45,6 @@ jobs: name: nuget path: ./publish/ retention-days: 1 - # push nuget - - name: NuGet login (OIDC) - uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 - id: login - with: - user: ${{ secrets.NUGET_USER }} - - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" - if: ${{ !inputs.dry-run }} - env: - NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} build-unity: needs: [update-packagejson] @@ -107,9 +96,32 @@ jobs: path: ./src/UniTask/UniTask.${{ inputs.tag }}.unitypackage retention-days: 1 + # publish + publish: + name: "Publish NuGet packages" + needs: [build-dotnet, build-unity] + permissions: + contents: read + id-token: write # required for NuGet Trusted Publish + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: Cysharp/Actions/.github/actions/setup-dotnet@main + - uses: Cysharp/Actions/.github/actions/download-artifact@main + # push nuget + - name: NuGet login (OIDC) + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 + id: login + with: + user: ${{ secrets.NUGET_USER }} + - run: dotnet nuget push "./nuget/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}" + if: ${{ !inputs.dry-run }} + env: + NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }} + # release create-release: - needs: [update-packagejson, build-dotnet, build-unity] + needs: [update-packagejson, publish] permissions: contents: write id-token: write # required for NuGet Trusted Publish @@ -125,7 +137,7 @@ jobs: cleanup: if: ${{ needs.update-packagejson.outputs.is-branch-created == 'true' }} - needs: [update-packagejson, build-dotnet, build-unity] + needs: [update-packagejson, create-release] permissions: contents: write uses: Cysharp/Actions/.github/workflows/clean-packagejson-branch.yaml@main