tomtastisch · tomtastisch · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
@@ -11,7 +11,6 @@ on:
 permissions:
   contents: write
   packages: write
-  id-token: write
 
 jobs:
   retention:
@@ -29,19 +28,14 @@ jobs:
           dotnet-version: |
             8.0.x
             10.0.102
-      - name: NuGet login (OIDC / Trusted Publishing)
-        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1
-        id: nuget_login
-        with:
-          user: Tomtastisch
       - name: Apply retention (GH Releases + NuGet unlist + GH Packages delete)
         env:
           GH_TOKEN: ${{ github.token }}
           REPO: ${{ github.repository }}
           OWNER: ${{ github.repository_owner }}
           PACKAGE_ID: Tomtastisch.FileClassifier
           NUGET_PACKAGE_ID: tomtastisch.fileclassifier
-          NUGET_API_KEY: ${{ steps.nuget_login.outputs.NUGET_API_KEY || secrets.NUGET_API_KEY }}
+          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
           OUT_DIR: artifacts/retention
         run: bash tools/ci/release/retention_apply.sh
       - name: Upload retention artifacts

@@ -29,7 +29,7 @@ der Git-Tag `vX.Y.Z` (optional `-prerelease`) als SSOT.
 - Docs/CI/Tooling:
   - NuGet-Trusted-Publishing-Doku (DE/EN) und Root-README auf den angepassten Gate-4-Ablauf aktualisiert.
   - Commit-Referenz fuer Version 5.2.0 in Versionshistorie (DE/EN) hinzugefuegt.
-  - Retention-Workflow auf OIDC-Key-Fallback (`NuGet/login`) fuer NuGet-Unlist umgestellt.
+  - Retention-Workflow auf Secret-basiertes NuGet-Unlist (`NUGET_API_KEY`) gehaertet; OIDC bleibt auf `release.yml` beschraenkt.
 
 ## [5.1.4]
 - Changed:

@@ -28,7 +28,7 @@ All changes are documented here in technical terms. The release version itself i
 - Docs/CI/Tooling:
   - Updated NuGet trusted-publishing docs (DE/EN) and root README for the adjusted Gate 4 behavior.
   - Added commit reference for version 5.2.0 in version history (DE/EN).
-  - Switched retention workflow to OIDC key fallback (`NuGet/login`) for NuGet unlist operations.
+  - Hardened retention workflow to secret-based NuGet unlist (`NUGET_API_KEY`); OIDC remains scoped to `release.yml`.
 
 ## [5.1.4]
 - Changed:

@@ -67,11 +67,50 @@ mapfile -t RELEASE_ROWS < <(gh api "/repos/${REPO}/releases" --paginate | jq -r
 mapfile -t NUGET_VERSIONS < <(curl -fsSL "https://api.nuget.org/v3-flatcontainer/${NUGET_PACKAGE_ID}/index.json" | jq -r '.versions[]' || true)
 
 # GH packages versions (user endpoint by default; fallback org endpoint)
-PACKAGE_LIST_ENDPOINT="/users/${OWNER}/packages/nuget/${PACKAGE_ID}/versions"
-if ! gh api "${PACKAGE_LIST_ENDPOINT}" >/dev/null 2>&1; then
-  PACKAGE_LIST_ENDPOINT="/orgs/${OWNER}/packages/nuget/${PACKAGE_ID}/versions"
+PACKAGE_ROWS=()
+PACKAGE_LIST_ENDPOINT=""
+fetch_package_rows() {
+  local endpoint="${1}"
+  local out_file err_file rc
+  out_file="$(mktemp)"
+  err_file="$(mktemp)"
+  if gh api "${endpoint}" --paginate --jq '.[] | [.id, .name] | @tsv' >"${out_file}" 2>"${err_file}"; then
+    mapfile -t PACKAGE_ROWS < "${out_file}"
+    rm -f "${out_file}" "${err_file}"
+    PACKAGE_LIST_ENDPOINT="${endpoint}"
+    return 0
+  else
+    rc=$?
+  fi
+  if grep -Eqi '(404|not found)' "${err_file}"; then
+    rm -f "${out_file}" "${err_file}"
+    return 4
+  fi
+  echo "FAIL: gh api failed for package list endpoint ${endpoint} (rc=${rc})" >&2
+  cat "${err_file}" >&2
+  rm -f "${out_file}" "${err_file}"
+  return "${rc}"
+}
+
+if fetch_package_rows "/users/${OWNER}/packages/nuget/${PACKAGE_ID}/versions"; then
+  :
+else
+  rc=$?
+  if [[ "${rc}" -eq 4 ]]; then
+    if fetch_package_rows "/orgs/${OWNER}/packages/nuget/${PACKAGE_ID}/versions"; then
+      :
+    else
+      rc=$?
+      if [[ "${rc}" -eq 4 ]]; then
+        echo "INFO: GH Packages endpoint not found for ${PACKAGE_ID}; skipping GH Packages retention" >&2
+      else
+        exit "${rc}"
+      fi
+    fi
+  else
+    exit "${rc}"
+  fi
 fi
-mapfile -t PACKAGE_ROWS < <(gh api "${PACKAGE_LIST_ENDPOINT}" --paginate | jq -r '.[] | [.id, .name] | @tsv' || true)
 
 {
   echo '{'