feat(actions): add nuget trusted publishing

[micheloliveira-com]

Motivation

As described in the official announcement, the new Trusted Publishing feature greatly enhances package publishing security on NuGet.org.

We successfully tested this approach with our own NuGet library:

• GitHub Actions run example
• Corresponding commit

Required changes in this repository

Recommendation followed from announcement:
For security, always use a GitHub secret like ${{ secrets.NUGET_USER }} for your NuGet.org username (profile name), not your email address.

• Add secrets.NUGET_USER to this repository, using the NuGet.org username (profile name) of the package owner (
  dotnetfoundation in this case).
• The old secrets.NUGET_APIKEY secret can be removed from this repository and also from the NuGet.org account if it was only used here.

One-time configuration on NuGet.org

According to the documentation:

1. Sign in to NuGet.org.
2. Open your user menu (top-right) → Trusted Publishing (next to “API Keys”).
3. Create a policy:
   • Package owner: you or your organization (e.g. dotnetfoundation).
   • Repository owner: your GitHub org/user (e.g. dotnet).
   • Repository name: repository name (e.g. Open-XML-SDK).
   • Workflow file: the YAML file under .github/workflows/ (e.g. release.yml).
   • Environment (optional): specify if your workflow uses GitHub Actions environments.

This setup eliminates the need for long-lived API keys and improves the overall security of the publishing process.

[github-actions]

Test Results

    58 files   -   2      58 suites   - 2   57m 58s ⏱️ + 4m 44s
 2 060 tests ±  0   2 057 ✅ ±  0   3 💤 ±0  0 ❌ ±0 
32 325 runs   - 207  32 289 ✅  - 207  36 💤 ±0  0 ❌ ±0 

Results for commit ed6f181. ± Comparison against base commit 307fa23.

[mikeebowen]

@twsouthwick, @tomjebo ,

This looks like a good idea to me, what do you think?