From 67f733e9362e1e210511ae9064eba54869f92d5d Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 02:26:15 +0000
Subject: [PATCH 1/2] Update NuGet dependencies to latest and switch to trusted
 publishing

Bump all package references to their latest stable versions, leaving the
intentionally capped NextIteration.SpectreConsole.Auth range untouched:

- Microsoft.Extensions.* 10.0.5 -> 10.0.9
- Spectre.Console 0.55.2 -> 0.56.0
- Microsoft.SourceLink.GitHub 8.0.0 -> 10.0.300
- Microsoft.NET.Test.Sdk 17.11.1 -> 18.6.0
- xunit 2.9.2 -> 2.9.3
- xunit.runner.visualstudio 2.8.2 -> 3.1.5
- coverlet.collector 6.0.2 -> 10.0.1

Switch the publish job to NuGet trusted publishing (OIDC): grant the job
id-token: write, exchange the GitHub OIDC token for a short-lived API key
via NuGet/login@v1 immediately before push, and drop the long-lived
NUGET_API_KEY secret in favour of a NUGET_USER profile name. Update
RELEASING.md prerequisites accordingly.

Build clean (0 warnings) and all 59 tests pass.
---
 .github/workflows/ci.yml | 20 +++++++++++++++++++-
 Directory.Packages.props | 18 +++++++++---------
 RELEASING.md             | 12 ++++++++++--
 3 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9692b07..5de0374 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,6 +72,14 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/adobe-v') || startsWith(github.ref, 'refs/tags/airtable-v') || startsWith(github.ref, 'refs/tags/softwareone-v')
 
+    permissions:
+      # Required for NuGet trusted publishing: lets the job request a
+      # short-lived OIDC token from GitHub, which NuGet/login exchanges
+      # with nuget.org for a temporary (1-hour) API key. No long-lived
+      # NUGET_API_KEY secret is involved anymore.
+      contents: read
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -98,9 +106,19 @@ jobs:
             *) echo "::error::Unrecognised tag prefix: $ref"; exit 1 ;;
           esac
 
+      # Exchange the GitHub OIDC token for a short-lived nuget.org API key.
+      # Run this immediately before the push: the key is valid for 1 hour
+      # and a token can only be redeemed once. NUGET_USER is the nuget.org
+      # profile name (username), NOT an email address.
+      - name: NuGet login (OIDC -> temporary API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Publish to NuGet
         run: |
           dotnet nuget push "./artifacts/${{ steps.prefix.outputs.pkg }}.*.nupkg" \
-            --api-key "${{ secrets.NUGET_API_KEY }}" \
+            --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" \
             --source https://api.nuget.org/v3/index.json \
             --skip-duplicate
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 4535ad7..f458c91 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -14,9 +14,9 @@
 
 	<!-- Runtime dependencies (shipped in provider packages). -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
-		<PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.5" />
-		<PackageVersion Include="Spectre.Console" Version="0.55.2" />
+		<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.9" />
+		<PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.9" />
+		<PackageVersion Include="Spectre.Console" Version="0.56.0" />
 		<!--
 			Capped range: accept any patch/minor in the 0.x line, but
 			prevent silent upgrade to 1.0.0 where the ICredentialCollector /
@@ -28,16 +28,16 @@
 
 	<!-- Build / source-link tooling (PrivateAssets in csprojs). -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
+		<PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.300" />
 	</ItemGroup>
 
 	<!-- Test-only dependencies. -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
-		<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
-		<PackageVersion Include="xunit" Version="2.9.2" />
-		<PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
-		<PackageVersion Include="coverlet.collector" Version="6.0.2" />
+		<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.9" />
+		<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.6.0" />
+		<PackageVersion Include="xunit" Version="2.9.3" />
+		<PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
+		<PackageVersion Include="coverlet.collector" Version="10.0.1" />
 	</ItemGroup>
 
 </Project>
diff --git a/RELEASING.md b/RELEASING.md
index f51f9dd..bf68fe2 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -18,8 +18,16 @@ The `<version>` part must match the `<Version>` property in the corresponding `.
 
 ## Prerequisites
 
-- **`NUGET_API_KEY` repo secret** is set under
-  *Settings → Secrets and variables → Actions*.
+- **NuGet trusted publishing is configured.** Publishing uses OIDC (no
+  long-lived API key). Two pieces must be in place:
+  - A **trusted publishing policy** on nuget.org (*your username → Trusted
+    Publishing*) pointing at this repo: Repository Owner `StuartMeeks`,
+    Repository `NextIteration.SpectreConsole.Auth.Providers`, Workflow File
+    `ci.yml`. The policy owner must own all three provider packages.
+  - A **`NUGET_USER` repo secret** under *Settings → Secrets and variables →
+    Actions*, set to your nuget.org profile name (username, **not** email).
+    The `publish` job passes this to `NuGet/login`, which exchanges the
+    GitHub OIDC token for a short-lived (1-hour) API key at push time.
 - The csproj for the provider you're releasing has its `<Version>` bumped and committed to `main`.
 - `main` is green on CI (otherwise the tag-triggered build will fail too).
 

From fe0ebc7b5bd6e2b24d070fbd7b1a4a6cfed56350 Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 02:29:37 +0000
Subject: [PATCH 2/2] Bump provider versions for release

Adobe 0.2.2 -> 0.2.3, Airtable 0.2.2 -> 0.2.3, SoftwareOne 0.3.2 -> 0.3.3.
Patch release covering the dependency refresh and the switch to trusted
publishing. No public API or behaviour changes. CHANGELOG updated.
---
 CHANGELOG.md                                  | 23 +++++++++++++++++++
 ...SpectreConsole.Auth.Providers.Adobe.csproj |  2 +-
 ...ctreConsole.Auth.Providers.Airtable.csproj |  2 +-
 ...eConsole.Auth.Providers.SoftwareOne.csproj |  2 +-
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6fbeb63..422ec9e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,29 @@ and each package adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.3 / 0.2.3 / 0.3.3] — 2026-06-10
+
+_Adobe → 0.2.3, Airtable → 0.2.3, SoftwareOne → 0.3.3. Coordinated maintenance release: dependency refresh plus a move to keyless publishing. No public API or behaviour changes._
+
+### Changed
+- **Dependencies bumped to latest stable.** Runtime dependencies shipped in
+  the provider packages: `Microsoft.Extensions.DependencyInjection.Abstractions`
+  and `Microsoft.Extensions.Http` 10.0.5 → 10.0.9, `Spectre.Console`
+  0.55.2 → 0.56.0. Build/test tooling: `Microsoft.SourceLink.GitHub`
+  8.0.0 → 10.0.300, `Microsoft.NET.Test.Sdk` 17.11.1 → 18.6.0, `xunit`
+  2.9.2 → 2.9.3, `xunit.runner.visualstudio` 2.8.2 → 3.1.5,
+  `coverlet.collector` 6.0.2 → 10.0.1. The capped `NextIteration.SpectreConsole.Auth`
+  range (`[0.6.1,1.0.0)`) is intentionally left unchanged.
+- **Publishing switched to NuGet trusted publishing (OIDC).** The release
+  workflow no longer uses a long-lived `NUGET_API_KEY` secret. The `publish`
+  job requests a GitHub OIDC token (`id-token: write`) and exchanges it via
+  `NuGet/login@v1` for a short-lived (1-hour) nuget.org API key at push time.
+  See [RELEASING.md](RELEASING.md) for the one-time nuget.org policy and
+  `NUGET_USER` secret setup. Packaging is unchanged — consumers see no
+  difference.
+
+---
+
 ## [0.2.2 / 0.2.2 / 0.3.2] — 2026-05-03
 
 _Adobe → 0.2.2, Airtable → 0.2.2, SoftwareOne → 0.3.2. Coordinated patch release across the four sibling repos to fix symbol-package publishing._
diff --git a/src/NextIteration.SpectreConsole.Auth.Providers.Adobe/NextIteration.SpectreConsole.Auth.Providers.Adobe.csproj b/src/NextIteration.SpectreConsole.Auth.Providers.Adobe/NextIteration.SpectreConsole.Auth.Providers.Adobe.csproj
index 0ed8aa8..a950fc5 100644
--- a/src/NextIteration.SpectreConsole.Auth.Providers.Adobe/NextIteration.SpectreConsole.Auth.Providers.Adobe.csproj
+++ b/src/NextIteration.SpectreConsole.Auth.Providers.Adobe/NextIteration.SpectreConsole.Auth.Providers.Adobe.csproj
@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.Adobe</PackageId>
-		<Version>0.2.2</Version>
+		<Version>0.2.3</Version>
 		<Description>Adobe VIP Marketplace credential provider for NextIteration.SpectreConsole.Auth. Ships AdobeCredential, AdobeToken, AdobeAuthenticationService (OAuth2 client-credentials against Adobe IMS), and the Spectre.Console collector that drives the accounts-add prompt.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>
diff --git a/src/NextIteration.SpectreConsole.Auth.Providers.Airtable/NextIteration.SpectreConsole.Auth.Providers.Airtable.csproj b/src/NextIteration.SpectreConsole.Auth.Providers.Airtable/NextIteration.SpectreConsole.Auth.Providers.Airtable.csproj
index 3cd087e..95aafa6 100644
--- a/src/NextIteration.SpectreConsole.Auth.Providers.Airtable/NextIteration.SpectreConsole.Auth.Providers.Airtable.csproj
+++ b/src/NextIteration.SpectreConsole.Auth.Providers.Airtable/NextIteration.SpectreConsole.Auth.Providers.Airtable.csproj
@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.Airtable</PackageId>
-		<Version>0.2.2</Version>
+		<Version>0.2.3</Version>
 		<Description>Airtable credential provider for NextIteration.SpectreConsole.Auth. Ships AirtableCredential, AirtableToken, AirtableAuthenticationService (pass-through personal access token), and the Spectre.Console collector that drives the accounts-add prompt.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>
diff --git a/src/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne.csproj b/src/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne.csproj
index 1730ab6..d121e23 100644
--- a/src/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne.csproj
+++ b/src/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne/NextIteration.SpectreConsole.Auth.Providers.SoftwareOne.csproj
@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.SoftwareOne</PackageId>
-		<Version>0.3.2</Version>
+		<Version>0.3.3</Version>
 		<Description>SoftwareOne Marketplace credential provider for NextIteration.SpectreConsole.Auth. Ships SoftwareOneCredential, SoftwareOneToken, SoftwareOneAuthenticationService, and the Spectre.Console collector that drives the accounts-add prompt. The collector performs a live lookup against the Marketplace API at add-time to validate the token and enrich the credential with the account and token metadata.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>