From 47c24baab487d6ddc2de34b59ca6e10932571473 Mon Sep 17 00:00:00 2001
From: Michel Oliveira <118028741+micheloliveira-com@users.noreply.github.com>
Date: Fri, 26 Sep 2025 15:22:31 -0300
Subject: [PATCH 1/2] feat(actions): add nuget trusted publishing

---
 .github/workflows/ci.yml      | 10 +++++++++-
 .github/workflows/release.yml |  8 +++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 27ad8bcf4..7faef4e63 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -272,6 +272,8 @@ jobs:
     if: github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/v2')
     runs-on: ubuntu-latest
     needs: [ validate-nuget, run-test, validate-template, validate-docs ]
+    permissions:
+      id-token: write
     steps:
       - uses: actions/download-artifact@v5
         with:
@@ -284,5 +286,11 @@ jobs:
       - name: 🛠️ Upload library to GitHub Package Repository
         run: dotnet nuget push ${{ env.NUGET_DIRECTORY }}/*.nupkg -k ${{ secrets.GITHUB_TOKEN }} -s https://nuget.pkg.github.com/bunit-dev/index.json --skip-duplicate --no-symbols
 
+      - name: 🛠️ NuGet login
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: 🛠️ Upload library to NuGet.org repository
-        run: dotnet nuget push ${{ env.NUGET_DIRECTORY }}/*.nupkg -k ${{ secrets.NUGET_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
+        run: dotnet nuget push ${{ env.NUGET_DIRECTORY }}/*.nupkg -k ${{ steps.nuget-login.outputs.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9b0196f97..81354f6a1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -101,9 +101,15 @@ jobs:
           dotnet pack src/bunit.web.query/ -c Release --property:PackageOutputPath=${GITHUB_WORKSPACE}/packages -p:ContinuousIntegrationBuild=true -p:publicrelease=true
           dotnet pack src/bunit.generators/ -c Release --property:PackageOutputPath=${GITHUB_WORKSPACE}/packages -p:ContinuousIntegrationBuild=true -p:publicrelease=true
 
+      - name: 🛠️ NuGet login
+        uses: NuGet/login@v1
+        id: nuget-login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+
       - name: 🛠️ Upload library to NuGet.org repository
         run: |
-          dotnet nuget push ${GITHUB_WORKSPACE}/packages/*.nupkg -k ${{ secrets.NUGET_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
+          dotnet nuget push ${GITHUB_WORKSPACE}/packages/*.nupkg -k ${{ steps.nuget-login.outputs.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate --no-symbols
 
       - name: ⏩ Push stable branch
         run: git push origin stable

From c38e09cbae1a458dc91c5592714780cf7890d7ad Mon Sep 17 00:00:00 2001
From: Michel Oliveira <118028741+micheloliveira-com@users.noreply.github.com>
Date: Fri, 26 Sep 2025 15:30:49 -0300
Subject: [PATCH 2/2] fix: add permission id-token:write

---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 81354f6a1..9e28b01c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,8 @@ jobs:
     if: github.ref == 'refs/heads/stable' ||
         github.event.pull_request.merged == true && contains(github.head_ref, 'release/v') == true
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
 
       - name: 🛒 Checkout repository