Switch to nuget OIDC publishing (#3764)

Author: roji

.github/workflows/build.yml

@@ -10,6 +10,10 @@ on:
       - v*
   pull_request:
 
+permissions:
+  contents: read
+  id-token: write # required for GitHub OIDC
+
 env:
   postgis_version: 3
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
@@ -160,6 +164,8 @@ jobs:
     needs: build
     runs-on: ubuntu-24.04
     if: github.event_name == 'push' && startsWith(github.repository, 'npgsql/') && needs.build.outputs.is_release == 'true'
+    permissions:
+      id-token: write  # enable GitHub OIDC token issuance for this job
     environment: nuget.org
 
     steps:
@@ -180,6 +186,13 @@ jobs:
 
       # TODO: Create a release
 
+      # Get a short-lived NuGet API key
+      - name: NuGet login (OIDC)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Publish to nuget.org
-        run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_ORG_API_KEY }} --source https://api.nuget.org/v3/index.json
+        run: dotnet nuget push "*.nupkg" --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json
         working-directory: nupkgs