From 77821a1dcded446f54a310b8a3d05b3bf3bedffa Mon Sep 17 00:00:00 2001
From: Jared Parsons <jared@paranoidcoding.org>
Date: Thu, 18 Jun 2026 13:44:24 -0700
Subject: [PATCH] Switch publish workflow to NuGet trusted publishing (OIDC)

Replace secrets.NUGET_API_KEY with NuGet/login@v1 OIDC-based authentication.
- Add id-token: write permission for OIDC token exchange
- Add NuGet/login@v1 step before push
- Remove API key from push command
- Add --skip-duplicate to push

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/publish.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 00f795c..d116604 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,9 @@ jobs:
   publish:
     name: Publish NuGet 
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     if: >-
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'workflow_run' && 
@@ -52,8 +55,13 @@ jobs:
       - name: Pack Solution
         run: dotnet pack -p:PackageOutputPath="${GITHUB_WORKSPACE}/packages" -p:IncludeSymbols=false -p:RepositoryCommit=${GITHUB_SHA} -p:PackageVersion="${{ steps.version.outputs.version }}" -c Release 
 
+      - name: NuGet login (OIDC)
+        uses: NuGet/login@v1
+        with:
+          user: jaredpar
+
       - name: Publish NuPkg Files
-        run: dotnet nuget push "$GITHUB_WORKSPACE/packages/*.nupkg" -k ${{ secrets.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json 
+        run: dotnet nuget push "$GITHUB_WORKSPACE/packages/*.nupkg" -s https://api.nuget.org/v3/index.json --skip-duplicate
 
       - name: Create Tag and Release
         env: