From 54f07068ba3299768f80ffe3fc90b1bdbf0ef759 Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 02:39:08 +0000
Subject: [PATCH] Update NuGet deps to latest stable; switch release to trusted
 publishing

Package updates (latest non-prerelease):
- Microsoft.Extensions.DependencyInjection.Abstractions 10.0.8 -> 10.0.9
- Microsoft.Extensions.Http 10.0.8 -> 10.0.9
- Spectre.Console 0.55.2 -> 0.56.0
- Spectre.Console.Testing 0.55.2 -> 0.56.0

Left unchanged (already at latest stable; newer releases are prerelease only):
Spectre.Console.Cli 0.55.0, Microsoft.SourceLink.GitHub 10.0.300,
Microsoft.NET.Test.Sdk 18.6.0, xunit 2.9.3, xunit.runner.visualstudio 3.1.5,
coverlet.collector 10.0.1.

Release workflow now uses NuGet Trusted Publishing: the publish job requests a
short-lived API key via NuGet/login@v1 (OIDC) instead of a long-lived
NUGET_API_KEY secret. Adds id-token: write permission.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml                    | 16 +++++++++++++++-
 ...extIteration.SpectreConsole.SelfUpdate.csproj |  6 +++---
 ...ration.SpectreConsole.SelfUpdate.Tests.csproj |  2 +-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c87eddf..b3321c0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write   # required for NuGet trusted publishing (OIDC token issuance)
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -39,5 +43,15 @@ jobs:
           name: nuget-package
           path: ./artifacts/*.nupkg
 
+      # Exchange the GitHub OIDC token for a short-lived nuget.org API key.
+      # Requires a Trusted Publishing policy configured on nuget.org for this
+      # repo + release.yml workflow. NUGET_USER is your nuget.org profile name
+      # (not your email). The key is valid for 1 hour, so fetch it just before push.
+      - name: NuGet login (OIDC → short-lived API key)
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Publish to NuGet
-        run: dotnet nuget push "./artifacts/*.nupkg" --api-key "${{ secrets.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
+        run: dotnet nuget push "./artifacts/*.nupkg" --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
diff --git a/src/NextIteration.SpectreConsole.SelfUpdate/NextIteration.SpectreConsole.SelfUpdate.csproj b/src/NextIteration.SpectreConsole.SelfUpdate/NextIteration.SpectreConsole.SelfUpdate.csproj
index 83b231a..13887dd 100644
--- a/src/NextIteration.SpectreConsole.SelfUpdate/NextIteration.SpectreConsole.SelfUpdate.csproj
+++ b/src/NextIteration.SpectreConsole.SelfUpdate/NextIteration.SpectreConsole.SelfUpdate.csproj
@@ -39,9 +39,9 @@
 	</ItemGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.8" />
-		<PackageReference Include="Microsoft.Extensions.Http" Version="10.0.8" />
-		<PackageReference Include="Spectre.Console" Version="0.55.2" />
+		<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.9" />
+		<PackageReference Include="Microsoft.Extensions.Http" Version="10.0.9" />
+		<PackageReference Include="Spectre.Console" Version="0.56.0" />
 		<PackageReference Include="Spectre.Console.Cli" Version="0.55.0" />
 		<PackageReference Include="Microsoft.SourceLink.GitHub" Version="10.0.300" PrivateAssets="All" />
 		<None Include="..\..\README.md" Pack="true" PackagePath="\" />
diff --git a/tests/NextIteration.SpectreConsole.SelfUpdate.Tests/NextIteration.SpectreConsole.SelfUpdate.Tests.csproj b/tests/NextIteration.SpectreConsole.SelfUpdate.Tests/NextIteration.SpectreConsole.SelfUpdate.Tests.csproj
index 2b27af2..b8111b7 100644
--- a/tests/NextIteration.SpectreConsole.SelfUpdate.Tests/NextIteration.SpectreConsole.SelfUpdate.Tests.csproj
+++ b/tests/NextIteration.SpectreConsole.SelfUpdate.Tests/NextIteration.SpectreConsole.SelfUpdate.Tests.csproj
@@ -32,7 +32,7 @@
 			<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 			<PrivateAssets>all</PrivateAssets>
 		</PackageReference>
-		<PackageReference Include="Spectre.Console.Testing" Version="0.55.2" />
+		<PackageReference Include="Spectre.Console.Testing" Version="0.56.0" />
 	</ItemGroup>
 
 	<ItemGroup>