From e1df89a6891ec7e6f3ded755a6b9e62bc9618139 Mon Sep 17 00:00:00 2001
From: Alberto Spelta <albertospelta@users.noreply.github.com>
Date: Thu, 11 Jun 2026 13:46:55 +0200
Subject: [PATCH] Switch NuGet publish to Trusted Publishing (OIDC)

Replace NUGET_API_KEY secret with NuGet/login@v1 OIDC-based keyless publishing.
---
 .github/workflows/release.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 142a332..5deb8c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -36,8 +37,14 @@ jobs:
       - name: pack
         run: dotnet pack ./src/Dax.Formatter/Dax.Formatter.csproj --configuration Release --no-build --output ./artifacts
 
-      - name: push to nuget.org
-        run: dotnet nuget push "./artifacts/*.nupkg" --api-key ${{ secrets.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate
+      - name: nuget login
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
+      - name: nuget push
+        run: dotnet nuget push "./artifacts/*.nupkg" --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
 
       - name: create github release
         env: