Use NuGet Trusted Publishing

[martincostello]

Switch to using GitHub OIDC for pushing packages to NuGet.org with Trusted Publishing.

Resolves #2742.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.15%. Comparing base (12a80e1) to head (fe1fd98).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2751   +/-   ##
=======================================
  Coverage   96.15%   96.15%           
=======================================
  Files         309      309           
  Lines        7118     7118           
  Branches     1008     1008           
=======================================
  Hits         6844     6844           
  Misses        221      221           
  Partials       53       53           

Flag	Coverage Δ
linux	96.15% <ø> (ø)
macos	96.15% <ø> (ø)
windows	96.14% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull Request Overview

This PR switches from using a static API key to GitHub OIDC (OpenID Connect) for NuGet package publishing through GitHub's Trusted Publishing feature. This improves security by eliminating the need to store long-lived secrets.

• Adds OIDC token permissions to the publish job
• Integrates NuGet/login action for authentication via Trusted Publishing
• Replaces static API key with dynamically generated token from the login step

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}