From 4d53634af6715398d64aab7caccec9a4a052cc0d Mon Sep 17 00:00:00 2001
From: Dion Gionet Mallet <dgionetmallet@devolutions.net>
Date: Mon, 17 Nov 2025 16:52:17 -0500
Subject: [PATCH] [DEVOPS-3949] ci(nuget): use Trusted Publishing auth

---
 .github/workflows/release.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 870dbb7..34b1131 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,11 +10,13 @@ on:
         description: "Dry Run Mode"
         required: true
         type: boolean
-        
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v4
 
@@ -40,10 +42,16 @@ jobs:
     - name: Extract Artifacts
       run: 7z x nugets.zip -o./nugets
 
+    - name: NuGet login (OIDC)
+      id: nuget-login
+      uses: NuGet/login@v1
+      with:
+        user: ${{ secrets.NUGET_BOT_USERNAME }}
+
     - name: Publish NuGet
       if: ${{ inputs.publish_nuget }}
       run: |
-        COMMAND="dotnet nuget push ./nugets/Devolutions.XTS.NET.*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
+        COMMAND="dotnet nuget push ./nugets/Devolutions.XTS.NET.*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
 
         if [ '${{ inputs.publish_dry_run }}' == 'true' ]; then
           echo "Dry Run : True"
@@ -53,6 +61,6 @@ jobs:
 
         echo "Running : $COMMAND"
 
-        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then # if not dry run, actually run the command
+        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then
           eval "$COMMAND"
         fi