diff --git a/.github/workflows/Deploy.yml b/.github/workflows/Deploy.yml
index 7120553..2571319 100644
--- a/.github/workflows/Deploy.yml
+++ b/.github/workflows/Deploy.yml
@@ -50,6 +50,10 @@ jobs:
       name: "Production"
       url: "https://www.nuget.org/packages/IntelliTect.Analyzers"
     name: Push NuGets
+    permissions:
+      id-token: write  # Required for NuGet trusted publishing (OIDC)
+      contents: read
+      actions: read    # Required for actions/download-artifact
 
     steps:
       - name: Download artifact from build job
@@ -57,9 +61,15 @@ jobs:
         with:
           name: NuGet
 
+      - name: NuGet login (OIDC)
+        id: login
+        uses: NuGet/login@v1
+        with:
+          user: ${{ secrets.NUGET_USER }}  # nuget.org profile name (NOT email)
+
       - name: Push NuGet
         run: |
           $tagVersion = "${{ github.ref }}".substring(11)
           echo "TAG_VERSION=$tagVersion" >> $env:GITHUB_OUTPUT
-          dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ secrets.NUGET_API_KEY }} --skip-duplicate
+          dotnet nuget push IntelliTect.Analyzers.$tagVersion.nupkg --source https://api.nuget.org/v3/index.json --api-key ${{ steps.login.outputs.NUGET_API_KEY }} --skip-duplicate
         id: tag-version