fix: add OIDC token fetch for NuGet Trusted Publishing

NuGet.org Trusted Publishing requires an OIDC JWT token as --api-key.
The token is fetched from the Actions runtime using
ACTIONS_ID_TOKEN_REQUEST_URL with audience=nuget.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: JusterZhu

.github/workflows/publish-nuget.yml

@@ -86,6 +86,9 @@ jobs:
       - name: Push NuGet package to NuGet.org (Trusted Publishing via OIDC)
         if: ${{ inputs.push-to-nuget == true }}
         run: |
+          ID_TOKEN=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=nuget" | jq -r '.value')
           dotnet nuget push artifacts/*.nupkg \
             --source https://api.nuget.org/v3/index.json \
+            --api-key "$ID_TOKEN" \
             --skip-duplicate