From 42b83898ecfa669cc078537c28042e9c7cd193d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20D=C3=BCrrenberger?= Date: Mon, 15 Dec 2025 17:16:17 +0100 Subject: [PATCH] Add note about third-party pull requests for GitHub Actions --- docs/nuget-org/trusted-publishing.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/nuget-org/trusted-publishing.md b/docs/nuget-org/trusted-publishing.md index ca9faff1c..56c153190 100644 --- a/docs/nuget-org/trusted-publishing.md +++ b/docs/nuget-org/trusted-publishing.md @@ -56,7 +56,11 @@ To get started: > This corresponds to your workflow at `.github/workflows/build.yml`. Enter the **file name only** (`build.yml`)—do not include the `.github/workflows/` path. - **Environment (optional):** `release` > Enter environment if your workflow uses e.g. `environment: release` and you want to restrict this policy to that environment. Leave this empty if you do not use GitHub Actions environments. -4. In your **GitHub repo**, update your workflow to request a short‑lived API key and push your package. +4. In your **GitHub repo**, update your workflow to request a short‑lived API key and push your package. + +> [!NOTE] +> While pull requests by third parties will be able to change the workflow file, their requests will be stamped with their owner and repository name IDs and thus won't match the configured trust policy and will be rejected. + Here’s a basic example: ```yaml