From 250d595eec981d79bfe55c845e8223503bed63fa Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 03:20:25 +0000
Subject: [PATCH 1/4] chore: bump deps to latest stable and use NuGet trusted
 publishing

Update centrally-managed package versions to latest stable (CPM was already
in place):
- Microsoft.Data.Sqlite 10.0.8 -> 10.0.9
- Microsoft.Extensions.DependencyInjection 10.0.8 -> 10.0.9
- Microsoft.WindowsAppSDK 2.1.3 -> 2.2.0
- Velopack 1.1.1 -> 1.2.0

Spectre.Console is deliberately held at 0.55.0: a 0.56.0 exists but
Spectre.Console.Cli has not shipped one, and the pair must move together.
All other packages were already at their latest stable.

Switch the importer's NuGet.org push to Trusted Publishing: the release job
now exchanges its GitHub OIDC token for a short-lived API key via
NuGet/login@v1 (id-token: write) instead of the long-lived NUGET_API_KEY
secret. Requires a trusted publishing policy on nuget.org plus a NUGET_USER
secret (nuget.org profile username).

Verified: full restore + Core/Execution/Importer tests pass on Linux, and the
WinUI App compiles clean (0 warnings) on the Windows build host with the
bumped WindowsAppSDK/Velopack.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 16 +++++++++++++++-
 Directory.Packages.props      | 13 ++++++++-----
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 201a3bc..aa7aba4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,9 @@ on:
 
 permissions:
   contents: write
+  # NuGet Trusted Publishing: the job exchanges a GitHub OIDC token for a
+  # short-lived nuget.org API key (NuGet/login@v1), so no long-lived secret.
+  id-token: write
 
 env:
   DOTNET_VERSION: "10.0.x"
@@ -129,6 +132,17 @@ jobs:
       - name: Pack snipdeck-importer (.NET global tool)
         run: dotnet pack tools/Snipdeck.Importer/Snipdeck.Importer.csproj --configuration Release --no-restore --output nuget
 
+      # Trusted Publishing: exchange the job's GitHub OIDC token for a temporary
+      # nuget.org API key (valid ~1h). Run immediately before the push so the key
+      # does not expire. Requires a trusted publishing policy on nuget.org for
+      # this repo + workflow file (release.yml), and the NUGET_USER secret set to
+      # the nuget.org profile username (not the account email).
+      - name: NuGet login (OIDC -> temporary API key)
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: Push snipdeck-importer to NuGet.org
         # Resolve the package explicitly — PowerShell does not glob-expand
         # arguments to native commands, and `dotnet nuget push` treats the
@@ -137,4 +151,4 @@ jobs:
         run: |
           $pkg = Get-ChildItem nuget -Filter *.nupkg | Select-Object -First 1
           if (-not $pkg) { Write-Error "No .nupkg found in nuget/"; exit 1 }
-          dotnet nuget push $pkg.FullName --api-key "${{ secrets.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
+          dotnet nuget push $pkg.FullName --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8a906de..714cc86 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -19,7 +19,7 @@
 
   <!-- Execution (command-execution feature; net10.0, no UI) -->
   <ItemGroup>
-    <PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.9" />
     <PackageVersion Include="Porta.Pty" Version="1.0.7" />
   </ItemGroup>
 
@@ -27,14 +27,17 @@
   <ItemGroup>
     <PackageVersion Include="CommunityToolkit.WinUI.Controls.SettingsControls" Version="8.2.251219" />
     <PackageVersion Include="H.NotifyIcon.WinUI" Version="2.4.1" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="10.0.9" />
     <PackageVersion Include="Microsoft.Web.WebView2" Version="1.0.3967.48" />
     <PackageVersion Include="Microsoft.Windows.SDK.BuildTools" Version="10.0.28000.1839" />
-    <PackageVersion Include="Microsoft.WindowsAppSDK" Version="2.1.3" />
-    <PackageVersion Include="Velopack" Version="1.1.1" />
+    <PackageVersion Include="Microsoft.WindowsAppSDK" Version="2.2.0" />
+    <PackageVersion Include="Velopack" Version="1.2.0" />
   </ItemGroup>
 
-  <!-- Importer tool (console) -->
+  <!-- Importer tool (console). Spectre.Console and Spectre.Console.Cli are a
+       coupled pair and must move together. Held at 0.55.0: Spectre.Console has a
+       0.56.0 but Spectre.Console.Cli does not yet, so bumping only the former
+       would desync them. Bump both once Cli 0.56.0 ships. -->
   <ItemGroup>
     <PackageVersion Include="Spectre.Console" Version="0.55.0" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.55.0" />

From 17fe714d4d959508044a21817ceb8d52bcd8a570 Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 03:23:38 +0000
Subject: [PATCH 2/4] chore: bump Spectre.Console to 0.56.0

Spectre.Console.Cli has no 0.56.0 yet, so it stays at 0.55.0 (its latest
stable) while Spectre.Console moves forward; realign when Cli catches up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Directory.Packages.props | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 714cc86..e47f405 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -34,12 +34,11 @@
     <PackageVersion Include="Velopack" Version="1.2.0" />
   </ItemGroup>
 
-  <!-- Importer tool (console). Spectre.Console and Spectre.Console.Cli are a
-       coupled pair and must move together. Held at 0.55.0: Spectre.Console has a
-       0.56.0 but Spectre.Console.Cli does not yet, so bumping only the former
-       would desync them. Bump both once Cli 0.56.0 ships. -->
+  <!-- Importer tool (console). Spectre.Console.Cli trails Spectre.Console by a
+       release (no 0.56.0 yet), so it stays at 0.55.0 — its latest stable — while
+       Spectre.Console moves to 0.56.0. Realign them when Cli 0.56.0 ships. -->
   <ItemGroup>
-    <PackageVersion Include="Spectre.Console" Version="0.55.0" />
+    <PackageVersion Include="Spectre.Console" Version="0.56.0" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.55.0" />
   </ItemGroup>
 

From cafccf48b2a16bc0c9da4e4f2130e24743a84c93 Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 03:27:43 +0000
Subject: [PATCH 3/4] chore: drop dangling PublishProfile reference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The App csproj referenced win-$(Platform).pubxml, but no such profile exists
in the repo — publishes are driven entirely by CLI args. The dangling
reference only produced NETSDK1198 on every publish. Removing it silences the
warning with no behavioural change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/Snipdeck.App/Snipdeck.App.csproj | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Snipdeck.App/Snipdeck.App.csproj b/src/Snipdeck.App/Snipdeck.App.csproj
index 96f9068..2e19e0a 100644
--- a/src/Snipdeck.App/Snipdeck.App.csproj
+++ b/src/Snipdeck.App/Snipdeck.App.csproj
@@ -6,7 +6,6 @@
 		<RootNamespace>Snipdeck.App</RootNamespace>
 		<ApplicationManifest>app.manifest</ApplicationManifest>
 		<RuntimeIdentifiers>win-x86;win-x64;win-arm64</RuntimeIdentifiers>
-		<PublishProfile>win-$(Platform).pubxml</PublishProfile>
 		<UseWinUI>true</UseWinUI>
 		<WinUISDKReferences>false</WinUISDKReferences>
 		<WindowsPackageType>None</WindowsPackageType>

From 83f3366eabc0a0372942c946cf4c2d2f551df44a Mon Sep 17 00:00:00 2001
From: Stuart Meeks <stuart.meeks@stuartmeeks.net>
Date: Wed, 10 Jun 2026 03:31:03 +0000
Subject: [PATCH 4/4] Release v1.0.4

Bump version.json to 1.0.4 and promote the CHANGELOG: dependency refresh
(Windows App SDK 2.2.0, Velopack 1.2.0) and the move to NuGet trusted
publishing for the snipdeck-importer tool.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md | 11 +++++++++++
 version.json |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 893e40f..79ad7de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.4] - 2026-06-10
+
+### Changed
+- Refreshed bundled dependencies to their latest stable releases, including the
+  Windows App SDK (2.2.0) and the Velopack updater (1.2.0).
+
+### Security
+- The release pipeline now publishes the `snipdeck-importer` .NET tool to NuGet.org
+  using trusted publishing — short-lived OIDC credentials issued per run — in place
+  of a long-lived API key.
+
 ## [1.0.3] - 2026-06-08
 
 ### Fixed
diff --git a/version.json b/version.json
index 94a8c90..bb497ce 100644
--- a/version.json
+++ b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/main/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "publicReleaseRefSpec": [
     "^refs/tags/v\\d+\\.\\d+\\.\\d+"
   ]