diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
index 37ed841..e1b731b 100644
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -10,6 +10,10 @@ jobs:
     env:
       SOLUTION_NAME: "GrasshopperAsyncComponent.sln"
     runs-on: ubuntu-latest
+    environment:
+      name: 'nuget.org'
+    permissions:
+      id-token: write  # enable GitHub OIDC token issuance for this job
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -51,6 +55,13 @@ jobs:
       - name: pack
         run: dotnet pack ${{env.SOLUTION_NAME}} --no-build -p:Version=${{steps.set-version.outputs.semver}} -p:FileVersion=${{steps.set-version.outputs.fileVersion}}
 
+      - name: NuGet login (OIDC → temp API key)
+        uses: NuGet/login@v1
+        id: login
+        with:
+          user: ${{ secrets.NUGET_USER }}
+          
       - name: Push to nuget.org
         if: (github.ref_type == 'tag')
-        run: dotnet nuget push **/*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{secrets.CONNECTORS_NUGET_TOKEN }} --skip-duplicate
+        run: dotnet nuget push **/*.nupkg --source "https://api.nuget.org/v3/index.json" --api-key ${{steps.login.outputs.NUGET_API_KEY}}
+