From 92ad45af299824ef749268034fa147248830b589 Mon Sep 17 00:00:00 2001
From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com>
Date: Wed, 20 May 2026 15:59:11 +0900
Subject: [PATCH 1/5] ci: use OIDC for NuGet package push authentication

This updates the build-release workflow to leverage OpenID Connect (OIDC) for authenticating with NuGet.org. The package push operation is now performed directly within the build job, replacing static API key usage with ephemeral credentials for enhanced security.
---
 .github/workflows/build-release.yaml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index 63755de..36b2223 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -30,6 +30,16 @@ jobs:
           name: nuget
           path: ./publish
           retention-days: 1
+      # push nuget
+      - name: NuGet login (OIDC)
+        uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+      - run: dotnet nuget push "./publish/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}"
+        if: ${{ !inputs.dry-run }}
+        env:
+          NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
 
   # release
   create-release:
@@ -42,5 +52,5 @@ jobs:
       commit-id: ${{ github.sha }}
       dry-run: ${{ inputs.dry-run }}
       tag: ${{ inputs.tag }}
-      nuget-push: true
+      nuget-push: false
     secrets: inherit

From 285f6e97a2a67f974c27c12979dc9a54b249e5a7 Mon Sep 17 00:00:00 2001
From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com>
Date: Wed, 20 May 2026 16:44:37 +0900
Subject: [PATCH 2/5] ci: id-token permission

---
 .github/workflows/build-release.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index 36b2223..c3fe8bd 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -16,6 +16,7 @@ jobs:
   build-dotnet:
     permissions:
       contents: read
+      id-token: write # required for NuGet Trusted Publish
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     steps:

From 1316e654e95c487e019c440135c35981c575b54e Mon Sep 17 00:00:00 2001
From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com>
Date: Wed, 20 May 2026 17:51:01 +0900
Subject: [PATCH 3/5] ci: handle SymbolPackageFormat on build

---
 .github/workflows/build-release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index c3fe8bd..1281610 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -25,7 +25,7 @@ jobs:
       # pack nuget
       - run: dotnet build -c Release -p:Version=${{ inputs.tag }}
       - run: dotnet test -c Release --no-build
-      - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -o ./publish
+      - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -p:Version=${{ inputs.tag }} -o ./publish
       - uses: Cysharp/Actions/.github/actions/upload-artifact@main
         with:
           name: nuget

From 56fab962ee2c2c90093d9ff0037bde7be9603f5e Mon Sep 17 00:00:00 2001
From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com>
Date: Wed, 20 May 2026 18:01:07 +0900
Subject: [PATCH 4/5] ci: handle SymbolPackageFormat on build

---
 .github/workflows/build-release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index 1281610..240fd82 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -25,7 +25,7 @@ jobs:
       # pack nuget
       - run: dotnet build -c Release -p:Version=${{ inputs.tag }}
       - run: dotnet test -c Release --no-build
-      - run: dotnet pack -c Release --no-build -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -p:Version=${{ inputs.tag }} -o ./publish
+      - run: dotnet pack -c Release --no-build -p:Version=${{ inputs.tag }} -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg -o ./publish
       - uses: Cysharp/Actions/.github/actions/upload-artifact@main
         with:
           name: nuget

From 7729ffe200776a40811352aaa4ad5d35597a78bd Mon Sep 17 00:00:00 2001
From: Ikiru Yoshizaki <3856350+guitarrapc@users.noreply.github.com>
Date: Wed, 20 May 2026 18:20:15 +0900
Subject: [PATCH 5/5] ci: publish symbol files

---
 .github/workflows/build-release.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index 240fd82..a5bd150 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -41,6 +41,10 @@ jobs:
         if: ${{ !inputs.dry-run }}
         env:
           NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
+      - run: dotnet nuget push "./publish/*.snupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}"
+        if: ${{ !inputs.dry-run }}
+        env:
+          NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
 
   # release
   create-release: