ci: use OIDC for NuGet package push authentication

[guitarrapc]

This updates the build-release workflow to leverage OpenID Connect (OIDC) for authenticating with NuGet.org. The package push operation is now performed directly within the build job, replacing static API key usage with ephemeral credentials for enhanced security.

[Copilot]

Pull request overview

Updates the release pipeline to publish NuGet packages using NuGet.org Trusted Publishing via GitHub OIDC, replacing the prior static API-key-based push path in the release workflow.

Changes:

• Adds a dedicated publish job that authenticates to NuGet.org via OIDC and pushes the produced packages.
• Updates the .NET packing step to include symbol package generation.
• Rewires workflow dependencies so create-release runs after the new publish job and disables nuget-push in the reusable release workflow call.

Comments suppressed due to low confidence (1)

.github/workflows/build-release.yaml:120

• dotnet pack is configured to produce symbol packages, but the push command only matches *.nupkg, so the generated .snupkg (default symbol package format) won’t be published to NuGet.org. Either push both *.nupkg and *.snupkg, or set SymbolPackageFormat=symbols.nupkg so the existing glob includes symbols.

      - run: dotnet nuget push "./nuget/*.nupkg" --skip-duplicate -s https://api.nuget.org/v3/index.json -k "${NUGET_KEY}"
        if: ${{ !inputs.dry-run }}
        env:
          NUGET_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.