From 190b017e76947de1ccfdab096af1a03388e317bd Mon Sep 17 00:00:00 2001
From: Dion Gionet Mallet <dgionetmallet@devolutions.net>
Date: Mon, 17 Nov 2025 16:52:23 -0500
Subject: [PATCH] [DEVOPS-3949] ci(nuget): use Trusted Publishing auth

---
 .github/workflows/release.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dbd3fd0..d54b28b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: publish
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v4
 
@@ -42,10 +44,16 @@ jobs:
       run: |
         7z x nugets.zip -o./nugets
 
+    - name: NuGet login (OIDC)
+      id: nuget-login
+      uses: NuGet/login@v1
+      with:
+        user: ${{ secrets.NUGET_BOT_USERNAME }}
+
     - name: Publish NuGet
       if: ${{ inputs.publish_nuget }}
       run: |
-        COMMAND="dotnet nuget push ./nugets/Devolutions.BCryptPbkdf.Net.*.nupkg --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
+        COMMAND="dotnet nuget push ./nugets/Devolutions.BCryptPbkdf.Net.*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json"
 
         if [ '${{ inputs.publish_dry_run }}' == 'true' ]; then
           echo "Dry Run : True"
@@ -55,6 +63,6 @@ jobs:
 
         echo "Running : $COMMAND"
 
-        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then # if not dry run, actually run the command
+        if [ "${{ inputs.publish_dry_run }}" != "true" ]; then
           eval "$COMMAND"
         fi