fix(ci): switch NuGet push to Trusted Publishing (OIDC)

- Add id-token: write permission for nuget.org OIDC
- Replace API-key push with OIDC-compatible placeholder api-key
- This allows pushing to nuget.org without storing secrets

Co-Authored-By: Claude <noreply@anthropic.com>

Author: JusterZhu

.github/workflows/dotnet-ci.yaml

@@ -11,6 +11,9 @@ on:
 jobs:
   build-and-publish:
     runs-on: windows-latest
+    permissions:
+      contents: write  # 创建 Release
+      id-token: write  # 用于 nuget.org Trusted Publishing (OIDC)
     steps:
       - name: 检出代码
         uses: actions/checkout@v6
@@ -60,13 +63,11 @@ jobs:
           foreach ($nupkg in $nupkgs) {
             Write-Host "推送 $($nupkg.Name)..."
             dotnet nuget push $nupkg.FullName `
-              --api-key ${{ secrets.NUGET_API_KEY }} `
+              --api-key azure `
               --source https://api.nuget.org/v3/index.json `
               --skip-duplicate
           }
         shell: pwsh
-        env:
-          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
 
       - name: 生成更新日志
         shell: pwsh