From 2553dd3094102eccbeb0568b3102956d1e9366fa Mon Sep 17 00:00:00 2001
From: Dion Gionet Mallet <dgionetmallet@devolutions.net>
Date: Mon, 17 Nov 2025 16:51:26 -0500
Subject: [PATCH 1/2] [DEVOPS-3949] ci(nuget): use Trusted Publishing auth

---
 .github/workflows/release.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 708f034be..8d6c64313 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -507,6 +507,8 @@ jobs:
     if: ${{ needs.preflight.outputs.skip-publishing == 'false' || inputs.dry-run }}
     needs: [preflight]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - name: Download jetsocat-nuget artifact
@@ -515,6 +517,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: NuGet login (OIDC)
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_BOT_USERNAME }}
+
       - name: Publish Jetsocat NuGet package
         run: |
           Set-PSDebug -Trace 1
@@ -528,7 +536,7 @@ jobs:
             'push',
             "$($Package.FullName)",
             '--api-key',
-            '${{ secrets.NUGET_API_KEY }}',
+            '${{ steps.nuget-login.outputs.NUGET_API_KEY }}',
             '--source',
             'https://api.nuget.org/v3/index.json',
             '--skip-duplicate'

From 3820dd6960168d9ed5da7ed8c1991778fd5ed401 Mon Sep 17 00:00:00 2001
From: Dion Gionet Mallet <dgionetmallet@devolutions.net>
Date: Thu, 20 Nov 2025 13:44:52 -0500
Subject: [PATCH 2/2] [DEVOPS-3949] ci(nuget): use Trusted Publishing auth
 (publish-libraries)

---
 .github/workflows/publish-libraries.yml | 10 +++++++++-
 .github/workflows/release.yml           |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml
index ec18b69e2..50271ad80 100644
--- a/.github/workflows/publish-libraries.yml
+++ b/.github/workflows/publish-libraries.yml
@@ -140,6 +140,8 @@ jobs:
     if: ${{ needs.preflight.outputs.dry_run == 'false' }}
     needs: [preflight, nuget-merge]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - name: Download NuGet packages artifact
@@ -148,6 +150,12 @@ jobs:
           name: nupkg
           path: nuget-packages
 
+      - name: NuGet login (OIDC)
+        id: nuget-login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_BOT_USERNAME }}
+
       - name: Publish to nuget.org
         run: |
           Set-PSDebug -Trace 1
@@ -161,7 +169,7 @@ jobs:
               'push',
               "$File",
               '--api-key',
-              '${{ secrets.NUGET_API_KEY }}',
+              '${{ steps.nuget-login.outputs.NUGET_API_KEY }}',
               '--source',
               'https://api.nuget.org/v3/index.json',
               '--skip-duplicate'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8d6c64313..5c978217e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -518,8 +518,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: NuGet login (OIDC)
-        uses: NuGet/login@v1
         id: nuget-login
+        uses: NuGet/login@v1
         with:
           user: ${{ secrets.NUGET_BOT_USERNAME }}