From 469572e2470ae0eefc901f83d9c76321914656f4 Mon Sep 17 00:00:00 2001
From: Yogesh Prajapati <yoprajap@microsoft.com>
Date: Fri, 29 May 2026 10:26:00 +0100
Subject: [PATCH] Use NUGET_SIGNING_KEY for NuGet publish signing

---
 .github/workflows/publish-nuget.yml | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-nuget.yml b/.github/workflows/publish-nuget.yml
index 741395af..946842c3 100644
--- a/.github/workflows/publish-nuget.yml
+++ b/.github/workflows/publish-nuget.yml
@@ -20,12 +20,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v5
         with:
           dotnet-version: |
             6.0.x
@@ -37,12 +37,17 @@ jobs:
         run: dotnet restore src/RulesEngine/RulesEngine.csproj
 
       - name: Build signed
-        run: >
-          dotnet build src/RulesEngine/RulesEngine.csproj
-          --configuration Release
-          -p:ContinuousIntegrationBuild=true
-          -p:DelaySign=false
-          -p:AssemblyOriginatorKeyFile=../../signing/RulesEngine-publicKey.snk
+        shell: pwsh
+        env:
+          NUGET_SIGNING_KEY: ${{ secrets.NUGET_SIGNING_KEY }}
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:NUGET_SIGNING_KEY)) {
+            throw "Missing NUGET_SIGNING_KEY secret. The checked-in signing/RulesEngine-publicKey.snk does not include a private key."
+          }
+
+          ./deployment/build-signed.ps1 `
+            -csprojFilePath src/RulesEngine/RulesEngine.csproj `
+            -signingKey $env:NUGET_SIGNING_KEY
 
       - name: Pack
         run: >