Move NUGET_API_KEY from repo secret to nuget-org environment secret

[ChrisonSimtian]

Sibling of milestone #13. RFC #267.

What

Migrate NUGET_API_KEY from a repo-level Actions secret to an environment-scoped secret on the nuget-org GitHub Environment. This is the half of the env split that actually matters: the secret only becomes available to jobs that target environment: nuget-org, which combined with the approval gate means no accidental publishes from non-release workflows.

Acceptance criteria

• NUGET_API_KEY exists as an environment secret on nuget-org.
• NUGET_API_KEY repo secret deleted (or kept as a transitional backup with a documented sunset).
• release.yml's reference to ${{ secrets.NUGET_API_KEY }} continues to work in the job that declares environment: nuget-org.
• No other workflow references this secret (verified via repo-wide grep on workflow files).

Depends on

• Three environments exist (sibling issue).

Blocks

• Refactor release.yml (the workflow needs to declare environment: nuget-org on the publish step).

Risk

• A botched migration leaves the workflow without the secret. Mitigate by doing the env-secret add first, then deleting the repo secret only after the next successful workflow run.

[ChrisonSimtian]

Draft PR #280 prepped — adds environment: nuget-org to the release job so secrets.NUGET_API_KEY resolves from the env-scoped secret. Held as draft until the env secret value is in place (GitHub secrets are write-only, so this step is a manual UI action by Chris).

Your turn (Chris) — adding the secret value

1. Open https://github.com/ChrisonSimtian/Fallout/settings/environments/15956905771/edit (nuget-org env).
2. Scroll to Environment secrets → Add secret.
3. Name: NUGET_API_KEY. Value: existing key from password manager, OR generate a fresh key on nuget.org and use that (rotation hygiene — recommended).
4. Save.
5. Mark ci: declare release job as deploying to nuget-org environment #280 as Ready for review (or ping me; I'll do it).
6. Merge ci: declare release job as deploying to nuget-org environment #280 — workflow now uses the env-scoped secret.
7. Manual verification: Actions → release → Run workflow → approve at the gate → publish succeeds.
8. Delete the repo-scoped NUGET_API_KEY at https://github.com/ChrisonSimtian/Fallout/settings/secrets/actions.
9. Close this issue.

If you want to test the gate without doing a real publish first, run the release workflow but cancel after the approval-gate prompt fires — that proves the env wiring works without burning a release.

[ChrisonSimtian]

Done. PR #280 merged (06:06:33Z). All three halves of #273 landed:

1. ✅ NUGET_API_KEY set as env-scoped secret on nuget-org (done manually by Chris via UI)
2. ✅ Repo-level NUGET_API_KEY secret deleted (also manually)
3. ✅ release.yml declares environment: nuget-org on the release job — ${{ secrets.NUGET_API_KEY }} now resolves from the env scope, and the env's required-reviewer rule (Chris) fires before the job runs

Verification path (optional)

If you want belt-and-braces validation: Actions → release → "Run workflow" on main → expect an approval-gate prompt before any step runs. Cancel at the gate without approving — proves the env wiring works without burning a release.

What's unblocked next

#274 — the big release.yml refactor (tag-triggered + multi-channel fan-out + tag protection ruleset). The largest single piece of milestone #13 still ahead.