configures nuget publish with OIDC

Uses OIDC to retrieve a temporary API key for NuGet publishing.

Author: arturcic

.github/workflows/_publish.yml

@@ -4,7 +4,7 @@ on:
 env:
   DOTNET_INSTALL_DIR: "./.dotnet"
   DOTNET_ROLL_FORWARD: "Major"
-  
+
 jobs:
   publish:
     name: ${{ matrix.taskName }}
@@ -33,7 +33,16 @@ jobs:
       with:
         name: nuget
         path: ${{ github.workspace }}/artifacts/packages/nuget
+
+    -
+      name: NuGet login (OIDC → temp API key)
+      uses: NuGet/login@v1
+      id: login
+      with:
+        user: 'gittoolsbot'
     -
       name: '[Publish]'
       shell: pwsh
-      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}
+      env:
+        NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
+      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}