nuget-trusted-publishing

# NuGet Trusted Publishing Setup Set up [NuGet trusted publishing](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing) on a GitHub Actions repo. Replaces long-lived API keys with OIDC-based short-lived tokens — no secrets to rotate or leak. ## Prerequisites - **GitHub Actions** — this skill covers GitHub Actions setup only - **nuget.org account** — the user needs access to create trusted publishing policies ## When to Use This Skill Use this skill when: - Setting up trusted publishing for a NuGet package - Migrating from `secrets.NUGET_API_KEY` to OIDC-based publishing - Asked about keyless or secure NuGet publishing - Creating a new NuGet publish workflow from scratch - Asked to "remove NuGet API key" or "use NuGet/login" - Setting up publishing for a dotnet tool, MCP server, or template package - Asked about `NuGet/login@v1` or `id-token: write` ## Safety Rules > ⚠️ **Bail-out rule**: If any phase fails after one fix attempt on an infrastructure/auth issue, stop and ask the user. Don't loop on environment problems. > ⚠️ **Never delete or overwrite without confirmation**: Removing API key secrets, deleting tags/releases, removing workflow steps, or changing package IDs. NuGet package IDs are permanent — mistakes can't be undone. ## Process > **Fast-path for greenfield repos**: When the user has a simple setup (one packable project, no existing publish workflow), don't gate on multi-turn assessment. Combine phases: create the workflow immediately, ...