diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 201a3bc..aa7aba4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,9 @@ on:
 
 permissions:
   contents: write
+  # NuGet Trusted Publishing: the job exchanges a GitHub OIDC token for a
+  # short-lived nuget.org API key (NuGet/login@v1), so no long-lived secret.
+  id-token: write
 
 env:
   DOTNET_VERSION: "10.0.x"
@@ -129,6 +132,17 @@ jobs:
       - name: Pack snipdeck-importer (.NET global tool)
         run: dotnet pack tools/Snipdeck.Importer/Snipdeck.Importer.csproj --configuration Release --no-restore --output nuget
 
+      # Trusted Publishing: exchange the job's GitHub OIDC token for a temporary
+      # nuget.org API key (valid ~1h). Run immediately before the push so the key
+      # does not expire. Requires a trusted publishing policy on nuget.org for
+      # this repo + workflow file (release.yml), and the NUGET_USER secret set to
+      # the nuget.org profile username (not the account email).
+      - name: NuGet login (OIDC -> temporary API key)
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Push snipdeck-importer to NuGet.org
         # Resolve the package explicitly — PowerShell does not glob-expand
         # arguments to native commands, and `dotnet nuget push` treats the
@@ -137,4 +151,4 @@ jobs:
         run: |
           $pkg = Get-ChildItem nuget -Filter *.nupkg | Select-Object -First 1
           if (-not $pkg) { Write-Error "No .nupkg found in nuget/"; exit 1 }
-          dotnet nuget push $pkg.FullName --api-key "${{ secrets.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
+          dotnet nuget push $pkg.FullName --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 893e40f..79ad7de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.4] - 2026-06-10
+
+### Changed
+- Refreshed bundled dependencies to their latest stable releases, including the
+  Windows App SDK (2.2.0) and the Velopack updater (1.2.0).
+
+### Security
+- The release pipeline now publishes the `snipdeck-importer` .NET tool to NuGet.org
+  using trusted publishing — short-lived OIDC credentials issued per run — in place
+  of a long-lived API key.
+
 ## [1.0.3] - 2026-06-08
 
 ### Fixed
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8a906de..e47f405 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -19,7 +19,7 @@
 
   <!-- Execution (command-execution feature; net10.0, no UI) -->
   <ItemGroup>
-    <PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.9" />
     <PackageVersion Include="Porta.Pty" Version="1.0.7" />
   </ItemGroup>
 
@@ -27,16 +27,18 @@
   <ItemGroup>
     <PackageVersion Include="CommunityToolkit.WinUI.Controls.SettingsControls" Version="8.2.251219" />
     <PackageVersion Include="H.NotifyIcon.WinUI" Version="2.4.1" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.9" />
     <PackageVersion Include="Microsoft.Web.WebView2" Version="1.0.3967.48" />
     <PackageVersion Include="Microsoft.Windows.SDK.BuildTools" Version="10.0.28000.1839" />
-    <PackageVersion Include="Microsoft.WindowsAppSDK" Version="2.1.3" />
-    <PackageVersion Include="Velopack" Version="1.1.1" />
+    <PackageVersion Include="Microsoft.WindowsAppSDK" Version="2.2.0" />
+    <PackageVersion Include="Velopack" Version="1.2.0" />
   </ItemGroup>
 
-  <!-- Importer tool (console) -->
+  <!-- Importer tool (console). Spectre.Console.Cli trails Spectre.Console by a
+       release (no 0.56.0 yet), so it stays at 0.55.0 — its latest stable — while
+       Spectre.Console moves to 0.56.0. Realign them when Cli 0.56.0 ships. -->
   <ItemGroup>
-    <PackageVersion Include="Spectre.Console" Version="0.55.0" />
+    <PackageVersion Include="Spectre.Console" Version="0.56.0" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.55.0" />
   </ItemGroup>
 
diff --git a/src/Snipdeck.App/Snipdeck.App.csproj b/src/Snipdeck.App/Snipdeck.App.csproj
index 96f9068..2e19e0a 100644
--- a/src/Snipdeck.App/Snipdeck.App.csproj
+++ b/src/Snipdeck.App/Snipdeck.App.csproj
@@ -6,7 +6,6 @@
 		<RootNamespace>Snipdeck.App</RootNamespace>
 		<ApplicationManifest>app.manifest</ApplicationManifest>
 		<RuntimeIdentifiers>win-x86;win-x64;win-arm64</RuntimeIdentifiers>
-		<PublishProfile>win-$(Platform).pubxml</PublishProfile>
 		<UseWinUI>true</UseWinUI>
 		<WinUISDKReferences>false</WinUISDKReferences>
 		<WindowsPackageType>None</WindowsPackageType>
diff --git a/version.json b/version.json
index 94a8c90..bb497ce 100644
--- a/version.json
+++ b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/main/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "publicReleaseRefSpec": [
     "^refs/tags/v\\d+\\.\\d+\\.\\d+"
   ]