From 14c27cf20c13978c8a3071319c9b83fc3d9cbb80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Silva?=
 <2493377+askpt@users.noreply.github.com>
Date: Fri, 12 Sep 2025 18:50:56 +0100
Subject: [PATCH 1/2] fix: update NuGet publish step to use temporary API key
 from OIDC login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: André Silva <2493377+askpt@users.noreply.github.com>
---
 .github/workflows/release.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23232824..3a71866d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,8 +62,15 @@ jobs:
       - name: Pack
         run: dotnet pack -c Release --no-restore
 
+        # Get a short-lived NuGet API key
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{secrets.NUGET_USER}}
+
       - name: Publish to Nuget
-        run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ secrets.NUGET_TOKEN }}" --source https://api.nuget.org/v3/index.json
+        run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0

From ce8f40475fa41f361d9885c66d77419d6d40c6ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Silva?=
 <2493377+askpt@users.noreply.github.com>
Date: Fri, 12 Sep 2025 19:12:51 +0100
Subject: [PATCH 2/2] fix: update NuGet login action to specific version and
 add comment for OIDC token permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: André Silva <2493377+askpt@users.noreply.github.com>
---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a71866d..a0f938c3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: release-please
     permissions:
-      id-token: write
+      id-token: write # enable GitHub OIDC token issuance for this job (NuGet login)
       contents: write # for SBOM release
       attestations: write # for actions/attest-sbom to create attestation
       packages: read # for internal nuget reading
@@ -64,7 +64,7 @@ jobs:
 
         # Get a short-lived NuGet API key
       - name: NuGet login (OIDC → temp API key)
-        uses: NuGet/login@v1
+        uses: NuGet/login@76cce0bd8d4b2f5dcdb45e2316d76c328632a902 # v1
         id: login
         with:
           user: ${{secrets.NUGET_USER}}