StuartMeeks · StuartMeeks · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -72,6 +72,14 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/adobe-v') || startsWith(github.ref, 'refs/tags/airtable-v') || startsWith(github.ref, 'refs/tags/softwareone-v')
 
+    permissions:
+      # Required for NuGet trusted publishing: lets the job request a
+      # short-lived OIDC token from GitHub, which NuGet/login exchanges
+      # with nuget.org for a temporary (1-hour) API key. No long-lived
+      # NUGET_API_KEY secret is involved anymore.
+      contents: read
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -98,9 +106,19 @@ jobs:
             *) echo "::error::Unrecognised tag prefix: $ref"; exit 1 ;;
           esac
 
+      # Exchange the GitHub OIDC token for a short-lived nuget.org API key.
+      # Run this immediately before the push: the key is valid for 1 hour
+      # and a token can only be redeemed once. NUGET_USER is the nuget.org
+      # profile name (username), NOT an email address.
+      - name: NuGet login (OIDC -> temporary API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Publish to NuGet
         run: |
           dotnet nuget push "./artifacts/${{ steps.prefix.outputs.pkg }}.*.nupkg" \
-            --api-key "${{ secrets.NUGET_API_KEY }}" \
+            --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" \
             --source https://api.nuget.org/v3/index.json \
             --skip-duplicate
@@ -9,6 +9,29 @@ and each package adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.3 / 0.2.3 / 0.3.3] — 2026-06-10
+
+_Adobe → 0.2.3, Airtable → 0.2.3, SoftwareOne → 0.3.3. Coordinated maintenance release: dependency refresh plus a move to keyless publishing. No public API or behaviour changes._
+
+### Changed
+- **Dependencies bumped to latest stable.** Runtime dependencies shipped in
+  the provider packages: `Microsoft.Extensions.DependencyInjection.Abstractions`
+  and `Microsoft.Extensions.Http` 10.0.5 → 10.0.9, `Spectre.Console`
+  0.55.2 → 0.56.0. Build/test tooling: `Microsoft.SourceLink.GitHub`
+  8.0.0 → 10.0.300, `Microsoft.NET.Test.Sdk` 17.11.1 → 18.6.0, `xunit`
+  2.9.2 → 2.9.3, `xunit.runner.visualstudio` 2.8.2 → 3.1.5,
+  `coverlet.collector` 6.0.2 → 10.0.1. The capped `NextIteration.SpectreConsole.Auth`
+  range (`[0.6.1,1.0.0)`) is intentionally left unchanged.
+- **Publishing switched to NuGet trusted publishing (OIDC).** The release
+  workflow no longer uses a long-lived `NUGET_API_KEY` secret. The `publish`
+  job requests a GitHub OIDC token (`id-token: write`) and exchanges it via
+  `NuGet/login@v1` for a short-lived (1-hour) nuget.org API key at push time.
+  See [RELEASING.md](RELEASING.md) for the one-time nuget.org policy and
+  `NUGET_USER` secret setup. Packaging is unchanged — consumers see no
+  difference.
+
+---
+
 ## [0.2.2 / 0.2.2 / 0.3.2] — 2026-05-03
 
 _Adobe → 0.2.2, Airtable → 0.2.2, SoftwareOne → 0.3.2. Coordinated patch release across the four sibling repos to fix symbol-package publishing._

@@ -14,9 +14,9 @@
 
 	<!-- Runtime dependencies (shipped in provider packages). -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
-		<PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.5" />
-		<PackageVersion Include="Spectre.Console" Version="0.55.2" />
+		<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.9" />
+		<PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.9" />
+		<PackageVersion Include="Spectre.Console" Version="0.56.0" />
 		<!--
 			Capped range: accept any patch/minor in the 0.x line, but
 			prevent silent upgrade to 1.0.0 where the ICredentialCollector /
@@ -28,16 +28,16 @@
 
 	<!-- Build / source-link tooling (PrivateAssets in csprojs). -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
+		<PackageVersion Include="Microsoft.SourceLink.GitHub" Version="10.0.300" />
 	</ItemGroup>
 
 	<!-- Test-only dependencies. -->
 	<ItemGroup>
-		<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
-		<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
-		<PackageVersion Include="xunit" Version="2.9.2" />
-		<PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
-		<PackageVersion Include="coverlet.collector" Version="6.0.2" />
+		<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.9" />
+		<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.6.0" />
+		<PackageVersion Include="xunit" Version="2.9.3" />
+		<PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
+		<PackageVersion Include="coverlet.collector" Version="10.0.1" />
 	</ItemGroup>
 
 </Project>
@@ -18,8 +18,16 @@ The `<version>` part must match the `<Version>` property in the corresponding `.
 
 ## Prerequisites
 
-- **`NUGET_API_KEY` repo secret** is set under
-  *Settings → Secrets and variables → Actions*.
+- **NuGet trusted publishing is configured.** Publishing uses OIDC (no
+  long-lived API key). Two pieces must be in place:
+  - A **trusted publishing policy** on nuget.org (*your username → Trusted
+    Publishing*) pointing at this repo: Repository Owner `StuartMeeks`,
+    Repository `NextIteration.SpectreConsole.Auth.Providers`, Workflow File
+    `ci.yml`. The policy owner must own all three provider packages.
+  - A **`NUGET_USER` repo secret** under *Settings → Secrets and variables →
+    Actions*, set to your nuget.org profile name (username, **not** email).
+    The `publish` job passes this to `NuGet/login`, which exchanges the
+    GitHub OIDC token for a short-lived (1-hour) API key at push time.
 - The csproj for the provider you're releasing has its `<Version>` bumped and committed to `main`.
 - `main` is green on CI (otherwise the tag-triggered build will fail too).
 

@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.Adobe</PackageId>
-		<Version>0.2.2</Version>
+		<Version>0.2.3</Version>
 		<Description>Adobe VIP Marketplace credential provider for NextIteration.SpectreConsole.Auth. Ships AdobeCredential, AdobeToken, AdobeAuthenticationService (OAuth2 client-credentials against Adobe IMS), and the Spectre.Console collector that drives the accounts-add prompt.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>

@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.Airtable</PackageId>
-		<Version>0.2.2</Version>
+		<Version>0.2.3</Version>
 		<Description>Airtable credential provider for NextIteration.SpectreConsole.Auth. Ships AirtableCredential, AirtableToken, AirtableAuthenticationService (pass-through personal access token), and the Spectre.Console collector that drives the accounts-add prompt.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>

@@ -11,7 +11,7 @@
 
 	<PropertyGroup>
 		<PackageId>NextIteration.SpectreConsole.Auth.Providers.SoftwareOne</PackageId>
-		<Version>0.3.2</Version>
+		<Version>0.3.3</Version>
 		<Description>SoftwareOne Marketplace credential provider for NextIteration.SpectreConsole.Auth. Ships SoftwareOneCredential, SoftwareOneToken, SoftwareOneAuthenticationService, and the Spectre.Console collector that drives the accounts-add prompt. The collector performs a live lookup against the Marketplace API at add-time to validate the token and enrich the credential with the account and token metadata.</Description>
 		<IncludeBuildOutput>true</IncludeBuildOutput>
 		<PackageLicenseExpression>MIT</PackageLicenseExpression>