From 0f64ea7a90cd65bf4b4640a0d1b796f817e26a37 Mon Sep 17 00:00:00 2001 From: Fatorin Date: Sat, 11 Jul 2026 19:15:42 +0800 Subject: [PATCH 1/6] fix(ci): add logs to debug NuGet login failures --- .github/workflows/release_dotnet.yml | 59 ++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index b84ebaef5724..078fb43744da 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -40,6 +40,7 @@ on: - none - preview - rc + - login-test concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} @@ -175,7 +176,7 @@ jobs: publish: name: Publish - if: ${{ (github.event_name == 'workflow_dispatch' && inputs.release_type != 'none') || (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')) }} + if: ${{ (github.event_name == 'workflow_dispatch' && (inputs.release_type == 'login-test' || inputs.release_type != 'none')) || (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')) }} runs-on: ubuntu-latest needs: - package @@ -201,22 +202,66 @@ jobs: env: NUGET_USERNAME: Apache.OpenDAL run: | - oidc_token="$(curl -fsSL \ + set -euo pipefail + + echo "Workflow event: ${GITHUB_EVENT_NAME}" + echo "Ref: ${GITHUB_REF}" + echo "Release type input: ${{ inputs.release_type }}" + + if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then + echo "::error::ACTIONS_ID_TOKEN_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_TOKEN is empty" + exit 1 + fi + + echo "Requesting GitHub OIDC token from GitHub" + oidc_response="$(curl -sS -w '\n%{http_code}' \ -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Fwww.nuget.org" \ - | python3 -c 'import json, sys; print(json.load(sys.stdin)["value"])')" + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Fwww.nuget.org")" + oidc_http_code="$(tail -n1 <<<"${oidc_response}")" + oidc_body="$(sed '$d' <<<"${oidc_response}")" + + if [[ "${oidc_http_code}" != "200" ]]; then + echo "OIDC HTTP status: ${oidc_http_code}" + echo "OIDC response body:" + echo "${oidc_body}" + echo "::error::Failed to obtain an OIDC token from GitHub" + exit 1 + fi + + oidc_token="$(python3 -c 'import json, sys; data=json.load(sys.stdin); print(data["value"])' <<<"${oidc_body}")" echo "::add-mask::${oidc_token}" request_body="$(python3 -c 'import json, os; print(json.dumps({"username": os.environ["NUGET_USERNAME"], "tokenType": "ApiKey"}))')" - api_key="$(curl -fsSL \ + + login_response="$(curl -sS -w '\n%{http_code}' \ -X POST https://www.nuget.org/api/v2/token \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${oidc_token}" \ -H "User-Agent: apache-opendal-release" \ - --data "${request_body}" \ - | python3 -c 'import json, sys; print(json.load(sys.stdin)["apiKey"])')" + --data "${request_body}")" + login_http_code="$(tail -n1 <<<"${login_response}")" + login_body="$(sed '$d' <<<"${login_response}")" + echo "NuGet login HTTP status: ${login_http_code}" + + if [[ "${login_http_code}" != "200" ]]; then + echo "NuGet login response body:" + echo "${login_body}" + echo "::error::NuGet login failed" + exit 1 + fi + + api_key="$(python3 -c 'import json, sys; data=json.load(sys.stdin); print(data["apiKey"])' <<<"${login_body}")" echo "::add-mask::${api_key}" echo "NUGET_API_KEY=${api_key}" >> "${GITHUB_OUTPUT}" + if [[ "${{ inputs.release_type }}" == "login-test" ]]; then + echo "Login test completed successfully." + fi + + - name: Skip publish for login test + if: ${{ inputs.release_type == 'login-test' }} + run: echo "Login test requested; skipping NuGet publish." + - name: Publish package + if: ${{ inputs.release_type != 'login-test' }} run: dotnet nuget push bindings/dotnet/artifacts/package/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate From ffe2c96fba143a67e26ddc54239feed659a8d01e Mon Sep 17 00:00:00 2001 From: Fatorin Date: Sat, 11 Jul 2026 19:23:42 +0800 Subject: [PATCH 2/6] fix(ci): add NuGet login check on pull requests --- .github/workflows/release_dotnet.yml | 74 ++++++++++++++++++---------- 1 file changed, 47 insertions(+), 27 deletions(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index 078fb43744da..397c8814a106 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -40,7 +40,6 @@ on: - none - preview - rc - - login-test concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} @@ -174,30 +173,16 @@ jobs: path: bindings/dotnet/artifacts/package/*.nupkg if-no-files-found: error - publish: - name: Publish - if: ${{ (github.event_name == 'workflow_dispatch' && (inputs.release_type == 'login-test' || inputs.release_type != 'none')) || (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')) }} + pr-login-check: + name: PR Login Check + if: ${{ github.event_name == 'pull_request' }} runs-on: ubuntu-latest - needs: - - package permissions: contents: read id-token: write steps: - - name: Setup dotnet toolchain - uses: actions/setup-dotnet@v5 - with: - dotnet-version: "10.0.x" - - - name: Download NuGet package - uses: actions/download-artifact@v8 - with: - name: dotnet-package - path: bindings/dotnet/artifacts/package - - name: NuGet login - id: login shell: bash env: NUGET_USERNAME: Apache.OpenDAL @@ -206,7 +191,6 @@ jobs: echo "Workflow event: ${GITHUB_EVENT_NAME}" echo "Ref: ${GITHUB_REF}" - echo "Release type input: ${{ inputs.release_type }}" if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then echo "::error::ACTIONS_ID_TOKEN_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_TOKEN is empty" @@ -252,16 +236,52 @@ jobs: api_key="$(python3 -c 'import json, sys; data=json.load(sys.stdin); print(data["apiKey"])' <<<"${login_body}")" echo "::add-mask::${api_key}" - echo "NUGET_API_KEY=${api_key}" >> "${GITHUB_OUTPUT}" + echo "PR login check completed successfully." - if [[ "${{ inputs.release_type }}" == "login-test" ]]; then - echo "Login test completed successfully." - fi + publish: + name: Publish + if: ${{ (github.event_name == 'workflow_dispatch' && inputs.release_type != 'none') || (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')) }} + runs-on: ubuntu-latest + needs: + - package + permissions: + contents: read + id-token: write + + steps: + - name: Setup dotnet toolchain + uses: actions/setup-dotnet@v5 + with: + dotnet-version: "10.0.x" + + - name: Download NuGet package + uses: actions/download-artifact@v8 + with: + name: dotnet-package + path: bindings/dotnet/artifacts/package - - name: Skip publish for login test - if: ${{ inputs.release_type == 'login-test' }} - run: echo "Login test requested; skipping NuGet publish." + - name: NuGet login + id: login + shell: bash + env: + NUGET_USERNAME: Apache.OpenDAL + run: | + oidc_token="$(curl -fsSL \ + -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Fwww.nuget.org" \ + | python3 -c 'import json, sys; print(json.load(sys.stdin)["value"])')" + echo "::add-mask::${oidc_token}" + + request_body="$(python3 -c 'import json, os; print(json.dumps({"username": os.environ["NUGET_USERNAME"], "tokenType": "ApiKey"}))')" + api_key="$(curl -fsSL \ + -X POST https://www.nuget.org/api/v2/token \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${oidc_token}" \ + -H "User-Agent: apache-opendal-release" \ + --data "${request_body}" \ + | python3 -c 'import json, sys; print(json.load(sys.stdin)["apiKey"])')" + echo "::add-mask::${api_key}" + echo "NUGET_API_KEY=${api_key}" >> "${GITHUB_OUTPUT}" - name: Publish package - if: ${{ inputs.release_type != 'login-test' }} run: dotnet nuget push bindings/dotnet/artifacts/package/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate From 94d1c2f82f7690d83cc92c4e00ca4aabeaa0084c Mon Sep 17 00:00:00 2001 From: Fatorin Date: Sat, 11 Jul 2026 19:31:43 +0800 Subject: [PATCH 3/6] fix(ci): remove pr login check for release dotnet --- .github/workflows/release_dotnet.yml | 65 ---------------------------- 1 file changed, 65 deletions(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index 397c8814a106..b84ebaef5724 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -173,71 +173,6 @@ jobs: path: bindings/dotnet/artifacts/package/*.nupkg if-no-files-found: error - pr-login-check: - name: PR Login Check - if: ${{ github.event_name == 'pull_request' }} - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - - steps: - - name: NuGet login - shell: bash - env: - NUGET_USERNAME: Apache.OpenDAL - run: | - set -euo pipefail - - echo "Workflow event: ${GITHUB_EVENT_NAME}" - echo "Ref: ${GITHUB_REF}" - - if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then - echo "::error::ACTIONS_ID_TOKEN_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_TOKEN is empty" - exit 1 - fi - - echo "Requesting GitHub OIDC token from GitHub" - oidc_response="$(curl -sS -w '\n%{http_code}' \ - -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Fwww.nuget.org")" - oidc_http_code="$(tail -n1 <<<"${oidc_response}")" - oidc_body="$(sed '$d' <<<"${oidc_response}")" - - if [[ "${oidc_http_code}" != "200" ]]; then - echo "OIDC HTTP status: ${oidc_http_code}" - echo "OIDC response body:" - echo "${oidc_body}" - echo "::error::Failed to obtain an OIDC token from GitHub" - exit 1 - fi - - oidc_token="$(python3 -c 'import json, sys; data=json.load(sys.stdin); print(data["value"])' <<<"${oidc_body}")" - echo "::add-mask::${oidc_token}" - - request_body="$(python3 -c 'import json, os; print(json.dumps({"username": os.environ["NUGET_USERNAME"], "tokenType": "ApiKey"}))')" - - login_response="$(curl -sS -w '\n%{http_code}' \ - -X POST https://www.nuget.org/api/v2/token \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${oidc_token}" \ - -H "User-Agent: apache-opendal-release" \ - --data "${request_body}")" - login_http_code="$(tail -n1 <<<"${login_response}")" - login_body="$(sed '$d' <<<"${login_response}")" - echo "NuGet login HTTP status: ${login_http_code}" - - if [[ "${login_http_code}" != "200" ]]; then - echo "NuGet login response body:" - echo "${login_body}" - echo "::error::NuGet login failed" - exit 1 - fi - - api_key="$(python3 -c 'import json, sys; data=json.load(sys.stdin); print(data["apiKey"])' <<<"${login_body}")" - echo "::add-mask::${api_key}" - echo "PR login check completed successfully." - publish: name: Publish if: ${{ (github.event_name == 'workflow_dispatch' && inputs.release_type != 'none') || (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')) }} From bf8787d2b1ff4567893f253d62124b732029fa1a Mon Sep 17 00:00:00 2001 From: Fatorin Date: Sun, 12 Jul 2026 22:51:10 +0800 Subject: [PATCH 4/6] fix(ci): Use NuGet/login action for dotnet publishing --- .github/workflows/release_dotnet.yml | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index b84ebaef5724..9a49853ee4e4 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -197,26 +197,9 @@ jobs: - name: NuGet login id: login - shell: bash - env: - NUGET_USERNAME: Apache.OpenDAL - run: | - oidc_token="$(curl -fsSL \ - -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Fwww.nuget.org" \ - | python3 -c 'import json, sys; print(json.load(sys.stdin)["value"])')" - echo "::add-mask::${oidc_token}" - - request_body="$(python3 -c 'import json, os; print(json.dumps({"username": os.environ["NUGET_USERNAME"], "tokenType": "ApiKey"}))')" - api_key="$(curl -fsSL \ - -X POST https://www.nuget.org/api/v2/token \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${oidc_token}" \ - -H "User-Agent: apache-opendal-release" \ - --data "${request_body}" \ - | python3 -c 'import json, sys; print(json.load(sys.stdin)["apiKey"])')" - echo "::add-mask::${api_key}" - echo "NUGET_API_KEY=${api_key}" >> "${GITHUB_OUTPUT}" + uses: NuGet/login@v1.2.0 + with: + user: Apache.OpenDAL - name: Publish package - run: dotnet nuget push bindings/dotnet/artifacts/package/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate + run: dotnet nuget push bindings/dotnet/artifacts/package/*.nupkg --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json From 4165523b0d28e92072feb9c2724c534ed772df23 Mon Sep 17 00:00:00 2001 From: Fatorin Date: Sun, 12 Jul 2026 22:53:58 +0800 Subject: [PATCH 5/6] fix(ci): nuget login action use sha instead of version --- .github/workflows/release_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index 9a49853ee4e4..5f59eb4cdcfa 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -197,7 +197,7 @@ jobs: - name: NuGet login id: login - uses: NuGet/login@v1.2.0 + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 with: user: Apache.OpenDAL From cd45edb1db5c10dfca3a1c3ab855449b2c7428b6 Mon Sep 17 00:00:00 2001 From: Fatorin Date: Mon, 13 Jul 2026 01:30:44 +0800 Subject: [PATCH 6/6] chore(ci): add version comment in nuget login action --- .github/workflows/release_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_dotnet.yml b/.github/workflows/release_dotnet.yml index 5f59eb4cdcfa..46693bca4ae4 100644 --- a/.github/workflows/release_dotnet.yml +++ b/.github/workflows/release_dotnet.yml @@ -197,7 +197,7 @@ jobs: - name: NuGet login id: login - uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 + uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0 with: user: Apache.OpenDAL