ci: use trusted publishing

viceice · viceice · commit 9fdcb16a717a · 2025-11-06T12:50:14.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,6 +23,7 @@ jobs:
     permissions:
       packages: write
       contents: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -49,6 +50,13 @@ jobs:
           name: packages
           path: bin/*.nupkg
 
+          # Get a short-lived NuGet API key
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: deploy github.com
         run: find bin -name '*.nupkg' | xargs dotnet nuget push -s $NUGET_SOURCE -k $NUGET_KEY --skip-duplicate --force-english-output
         shell: bash
@@ -61,7 +69,7 @@ jobs:
         shell: bash
         env:
           NUGET_SOURCE: https://api.nuget.org/v3/index.json
-          NUGET_KEY: ${{ secrets.NUGET_API_KEY }}
+          NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
 
   gh-release:
     needs:
