ci(nuget): use Trusted Publishing auth (#1578)

Issue: DEVOPS-3949

Author: dion-gionet

.github/workflows/publish-libraries.yml

@@ -140,6 +140,8 @@ jobs:
     if: ${{ needs.preflight.outputs.dry_run == 'false' }}
     needs: [preflight, nuget-merge]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - name: Download NuGet packages artifact
@@ -148,6 +150,12 @@ jobs:
           name: nupkg
           path: nuget-packages
 
+      - name: NuGet login (OIDC)
+        id: nuget-login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_BOT_USERNAME }}
+
       - name: Publish to nuget.org
         run: |
           Set-PSDebug -Trace 1
@@ -161,7 +169,7 @@ jobs:
               'push',
               "$File",
               '--api-key',
-              '${{ secrets.NUGET_API_KEY }}',
+              '${{ steps.nuget-login.outputs.NUGET_API_KEY }}',
               '--source',
               'https://api.nuget.org/v3/index.json',
               '--skip-duplicate'

.github/workflows/release.yml

@@ -507,6 +507,8 @@ jobs:
     if: ${{ needs.preflight.outputs.skip-publishing == 'false' || inputs.dry-run }}
     needs: [preflight]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
 
     steps:
       - name: Download jetsocat-nuget artifact
@@ -515,6 +517,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: NuGet login (OIDC)
+        id: nuget-login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_BOT_USERNAME }}
+
       - name: Publish Jetsocat NuGet package
         run: |
           Set-PSDebug -Trace 1
@@ -528,7 +536,7 @@ jobs:
             'push',
             "$($Package.FullName)",
             '--api-key',
-            '${{ secrets.NUGET_API_KEY }}',
+            '${{ steps.nuget-login.outputs.NUGET_API_KEY }}',
             '--source',
             'https://api.nuget.org/v3/index.json',
             '--skip-duplicate'