NuGet.org Publishing Setup Guide
This guide walks you through setting up automatic NuGet package publishing for Sorcha.Cryptography.
Prerequisites
- A NuGet.org account
- Admin access to the GitHub repository
- The library must build and pass all tests
Step 1: Create a NuGet.org Account
- Go to https://www.nuget.org
- Click Sign in or Register in the top right
- Create an account or sign in with an existing Microsoft account
Step 2: Generate a NuGet API Key
Sign in to NuGet.org
Click your username in the top right and select API Keys
Click Create to generate a new API key
Configure the API key:
- Key Name:
Sorcha.Cryptography GitHub Actions(or any descriptive name) - Expiration: Choose an appropriate expiration (recommended: 365 days)
- Select Scopes: Choose Push and Push new packages and package versions
- Select Packages:
- Choose Glob Pattern
- Enter:
Sorcha.Cryptography
- Click Create
- Key Name:
IMPORTANT: Copy the API key immediately and store it securely. You won't be able to see it again!
Step 3: Add API Key to GitHub Secrets
- Go to your GitHub repository:
https://github.com/sorcha-platform/sorcha - Click Settings (you need admin access)
- In the left sidebar, expand Secrets and variables and click Actions
- Click New repository secret
- Configure the secret:
- Name:
NUGET_API_KEY - Secret: Paste the API key you copied from NuGet.org
- Name:
- Click Add secret
Step 4: Create GitHub Environment (Optional but Recommended)
This adds an extra layer of protection by requiring approval before publishing.
- In your repository settings, click Environments in the left sidebar
- Click New environment
- Name it:
nuget-production - Configure protection rules (optional):
- Required reviewers: Add team members who should approve releases
- Wait timer: Add a delay before deployment (e.g., 5 minutes)
- Deployment branches: Restrict to
mainormasterbranch only
- Click Save protection rules
Step 5: Verify the Workflow File
The workflow file has been created at .github/workflows/cryptography-nuget.yml.
It will trigger when:
- Code is pushed to
mainormasterbranch - Changes are made to files in
src/Common/Sorcha.Cryptography/ortests/Sorcha.Cryptography.Tests/ - Pull requests are created (build and test only, no publish)
- Manually triggered via GitHub Actions UI
Step 6: Update Package Version
Before publishing, ensure the version in src/Common/Sorcha.Cryptography/Sorcha.Cryptography.csproj is correct:
<Version>2.0.0</Version>Follow Semantic Versioning:
- Major (x.0.0): Breaking changes
- Minor (0.x.0): New features, backwards compatible
- Patch (0.0.x): Bug fixes, backwards compatible
Step 7: Test the Pipeline
Test Build and Test (without publishing)
Create a new branch:
bashgit checkout -b test-nuget-pipelineMake a small change to the Sorcha.Cryptography project (e.g., update a comment)
Commit and push:
bashgit add . git commit -m "test: Verify NuGet pipeline configuration" git push origin test-nuget-pipelineCreate a Pull Request on GitHub
The workflow should run build and test jobs (but NOT publish)
Test Publishing (to NuGet.org)
WARNING: This will publish a real package to NuGet.org!
- Ensure the version number is what you want to publish
- Merge the PR to
mainormasterbranch - The workflow will run and publish to NuGet.org if tests pass
- Check the Actions tab in GitHub to monitor progress
- After 5-10 minutes, verify the package appears at:
Step 8: Install and Use the Package
Once published, users can install it:
dotnet add package Sorcha.CryptographyOr in a .csproj file:
<PackageReference Include="Sorcha.Cryptography" Version="2.0.0" />Workflow Features
The pipeline includes:
🔨 Build & Test
- Builds for .NET 10.0
- Runs all unit tests
- Generates code coverage reports
- Adds coverage summary to pull requests
📦 Packaging
- Creates NuGet package with proper metadata
- Includes XML documentation
- Generates symbol package (.snupkg) for debugging
- Includes Source Link for debugging into source code
🚀 Publishing
- Publishes to NuGet.org automatically on main branch
- Skips if version already exists (--skip-duplicate)
- Creates GitHub release with package files
- Uses protected environment for safety
Troubleshooting
"Package already exists" Error
If you see this error, it means the version number in the .csproj file has already been published. To fix:
- Update the version number in
Sorcha.Cryptography.csproj - Commit and push the change
- The pipeline will publish the new version
"Unauthorized" or "403 Forbidden" Error
This means the API key is invalid or doesn't have the right permissions:
- Verify the
NUGET_API_KEYsecret is set correctly in GitHub - Check that the API key hasn't expired on NuGet.org
- Ensure the API key has "Push" permissions for the
Sorcha.Cryptographypackage
Pipeline Not Triggering
The pipeline only triggers when files in these paths change:
src/Common/Sorcha.Cryptography/**tests/Sorcha.Cryptography.Tests/**.github/workflows/cryptography-nuget.yml
If you need to trigger it manually:
- Go to Actions tab in GitHub
- Select "Sorcha.Cryptography NuGet Package" workflow
- Click "Run workflow"
Best Practices
- Version Management: Always update the version number before merging to main
- Testing: Ensure all tests pass locally before pushing
- Documentation: Keep XML comments up to date
- Changelog: Consider maintaining a CHANGELOG.md for the library
- API Key Security: Rotate API keys regularly (at least annually)
- Review Process: Use the GitHub environment protection to require approval for releases
Security Considerations
- ✅ API key is stored as a GitHub secret (encrypted)
- ✅ API key is scoped to only this package
- ✅ Pipeline only runs on protected branches (main/master)
- ✅ Optional environment protection requires manual approval
- ✅ Source Link allows transparency into source code
Next Steps
After setup is complete:
- ☐ Test the pipeline with a PR
- ☐ Publish the first version to NuGet.org
- ☐ Add a badge to README.md showing the NuGet version
- ☐ Set up API key expiration reminders
- ☐ Document the package usage in the main README