diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a62a4c..7096d8a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -92,6 +92,10 @@ jobs:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
+ permissions:
+ id-token: write # enable GitHub OIDC token issuance for NuGet trusted publishing
+ contents: read
+
steps:
- name: Checkout
uses: actions/checkout@v6
@@ -107,5 +111,15 @@ jobs:
name: nuget-package
path: ./artifacts
+ # Exchange the GitHub OIDC token for a short-lived (1 hour) nuget.org
+ # API key. Requires a Trusted Publishing policy on nuget.org bound to
+ # this repo + workflow file (ci.yml). NUGET_USER is the nuget.org
+ # account/profile name (not an email).
+ - name: NuGet login (OIDC → temporary API key)
+ uses: NuGet/login@v1
+ id: login
+ with:
+ user: ${{ secrets.NUGET_USER }}
+
- name: Publish to NuGet
- run: dotnet nuget push "./artifacts/*.nupkg" --api-key "${{ secrets.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
+ run: dotnet nuget push "./artifacts/*.nupkg" --api-key "${{ steps.login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c5fb229..3f42fc9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
+## [0.6.3] — 2026-06-10
+
+### Changed
+
+- **Dependency updates.** Bumped `Microsoft.Extensions.DependencyInjection.Abstractions`,
+ `Microsoft.Extensions.Http`, and `System.Security.Cryptography.ProtectedData`
+ to `10.0.9`; `Spectre.Console` to `0.56.0`; and `Microsoft.SourceLink.GitHub`
+ to `10.0.300`. Test-only dependencies updated as well
+ (`Microsoft.NET.Test.Sdk` `18.6.0`, `xunit` `2.9.3`,
+ `xunit.runner.visualstudio` `3.1.5`, `coverlet.collector` `10.0.1`).
+ `Spectre.Console.Cli` stays at `0.55.0` (latest stable). No public API change.
+- **NuGet trusted publishing.** The `publish` CI job now uses OIDC-based
+ [trusted publishing](https://learn.microsoft.com/nuget/nuget-org/trusted-publishing):
+ it exchanges the GitHub OIDC token for a short-lived nuget.org API key via
+ `NuGet/login@v1` instead of a long-lived `NUGET_API_KEY` secret.
+
+---
+
## [0.6.2] — 2026-05-03
### Changed
diff --git a/src/NextIteration.SpectreConsole.Auth/NextIteration.SpectreConsole.Auth.csproj b/src/NextIteration.SpectreConsole.Auth/NextIteration.SpectreConsole.Auth.csproj
index 46f21f0..4d37412 100644
--- a/src/NextIteration.SpectreConsole.Auth/NextIteration.SpectreConsole.Auth.csproj
+++ b/src/NextIteration.SpectreConsole.Auth/NextIteration.SpectreConsole.Auth.csproj
@@ -17,7 +17,7 @@
NextIteration.SpectreConsole.Auth
- 0.6.2
+ 0.6.3
Stuart Meeks
Credential storage, encryption, and Spectre.Console CLI commands for managing provider credentials in CLI tools.
true
@@ -45,12 +45,12 @@
-
-
-
-
+
+
+
+
-
+
diff --git a/tests/NextIteration.SpectreConsole.Auth.Tests/NextIteration.SpectreConsole.Auth.Tests.csproj b/tests/NextIteration.SpectreConsole.Auth.Tests/NextIteration.SpectreConsole.Auth.Tests.csproj
index af0acc0..294dbbe 100644
--- a/tests/NextIteration.SpectreConsole.Auth.Tests/NextIteration.SpectreConsole.Auth.Tests.csproj
+++ b/tests/NextIteration.SpectreConsole.Auth.Tests/NextIteration.SpectreConsole.Auth.Tests.csproj
@@ -22,13 +22,13 @@
-
-
-
+
+
+
runtime; build; native; contentfiles; analyzers; buildtransitive
all
-
+
runtime; build; native; contentfiles; analyzers; buildtransitive
all