Organization Packages Policy couldn't found when using Reusable Workflow

[guitarrapc]

Summary

When executing NuGet/login with a combination of NuGet Organization's package policy & Reusable workflow, it fails with a 401 error and the following message:

Error: Token exchange failed (401): No matching trust policy owned by user '***' was found.

Reproduce step

1. Login to NuGet with Organization's administrator (my-nuget-user)
2. Create Trusted Publishing Policy for Organization Package.

Policy Name: Foo
Package Owner: NuGet Organization Name (Foo-Org)
Repository Owner: GitHub Org Name (Foo-Org)
Repository: SampleRepo
Workflow File: release.yaml

3. Create Reusable workflow at repo Foo-Org/ReusableRepo

name: Build-Release

on:
  workflow_call:

jobs:
  create-release:
    permissions:
      contents: write
      id-token: write # required for NuGet Trusted Publish
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    steps:
      - name: NuGet login (OIDC → temp API key)
        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
        id: login
        with:
          user: my-nuget-user
      # omit...

3. Create release.yaml in Foo-Org/SampleRepo repository and set following github action with permissions.id-token: write

name: Build-Release

jobs:
  dummy:
    permissions:
      contents: write
      id-token: write # required for NuGet Trusted Publish
    uses: Foo-Org/ReusableRepo/.github/workflows/release.yaml@main

4. Execute Actions, and failed.

Error: Token exchange failed (401): No matching trust policy owned by user '***' was found.

Remarks

If workflow is not reusable workflow, it works without issue.

name: Build-Release

jobs:
  dummy:
    permissions:
      contents: write
      id-token: write # required for NuGet Trusted Publish
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    steps:
    # my-nuget-user has policy for Organization package
    - name: NuGet login
      uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
      id: login
      with:
        user: my-nuget-user

[guitarrapc]

I figure out issue only happen when using reusable workflow. Updated issue body.

[smdn]

I also faced a similar issue.
In my case, it occurred with a combination of a personal NuGet account and a personal GitHub repository.

Therefore, using NuGet/login@v1 in a reusable workflow seems to result an HTTP 401 response, regardless of the account or repository type.

Following are my configurations and error output.

Configurations and reproduction steps

Create reusable workflow

Create reusable workflow on repository smdn/reusable-workflows, with filename .github/workflows/nuget-login.yml

name: NuGet Login (reusable workflow)

permissions:
  id-token: write

on:
  workflow_call:
    secrets:
      username_nuget_org:
        description: 'The username which is used to login to NuGet.org.'
        required: true

jobs:
  nuget-login:
    runs-on: ubuntu-latest
    steps:
    - name: Login to nuget.org
      id: login-nuget-org
      uses: NuGet/login@v1
      with:
        user: ${{ secrets.username_nuget_org }}

Create workflow dispatcher

Create workflow dispatcher on repository smdn/my-project, with filename .github/workflows/run-nuget-login.yml

name: NuGet Login

permissions:
  id-token: write

on:
  workflow_dispatch:

jobs:
  run-nuget-login:
    uses: smdn/reusable-workflows/.github/workflows/nuget-login.yml@v0.0.0
    secrets:
      username_nuget_org: ${{ secrets.USERNAME_NUGET_ORG }}

Configure NuGet.org's Trusted Publishing policy

Package owner: *** (non-organization account)
Publisher: GitHubActions
Repository Owner: smdn
Repository: my-project
Workflow: run-nuget-login.yml

Run workflow

Run workflow run-nuget-login.yml on smdn/my-project.

The execution of this workflow failed, and the following error was output:

Run NuGet/login@v1
  with:
    user: ***
    token-service-url: https://www.nuget.org/api/v2/token
    audience: https://www.nuget.org
  env:
    NUGET_USER: ***
Requesting GitHub OIDC token from: https://run-actions-2-azure-eastus.actions.githubusercontent.com/117//idtoken/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?api-version=2.0&audience=https%3A%2F%2Fwww.nuget.org
Error: Token exchange failed (401): No matching trust policy owned by user '***' was found.

[smdn]

Another similar case has been reported in issue #9.
In that case, the reusable workflow and the workflow that invokes the reusable workflow are placed in the same repository.

The error message is different, but it seems this issue might also be fixed by the proposed modification in #9.

[ardalis]

It would be nice to have a secure way to use reusable workflows while authenticating with nuget as the repo that's calling the workflow, not the shared workflow repo.