diff --git a/.github/workflows/publish-nuget-org-pre-release.yml b/.github/workflows/publish-nuget-org-pre-release.yml
index 490d454..775ddb3 100644
--- a/.github/workflows/publish-nuget-org-pre-release.yml
+++ b/.github/workflows/publish-nuget-org-pre-release.yml
@@ -5,10 +5,20 @@ on:
     types: [prereleased]
 
 jobs:
-  push:
+  nuget-oidc:
+    name: NuGet login (OIDC → temp API key)
+    runs-on: ubuntu-latest
     permissions:
-      checks: write
-      contents: read
-      packages: write
-    uses: NetChris/workflows/.github/workflows/pre-release-nuget-org.yml@v2
-    secrets: inherit
+      id-token: write  # enable GitHub OIDC token issuance for this job
+    steps:
+      - uses: NuGet/login@v1
+        id: login
+        with:
+          user: ChrisSimmons
+  # push:
+  #   permissions:
+  #     checks: write
+  #     contents: read
+  #     packages: write
+  #   uses: NetChris/workflows/.github/workflows/pre-release-nuget-org.yml@nuget-trusted-publishing
+  #   secrets: inherit
diff --git a/.github/workflows/publish-nuget-org-release.yml b/.github/workflows/publish-nuget-org-release.yml
index 2b11985..18f5a24 100644
--- a/.github/workflows/publish-nuget-org-release.yml
+++ b/.github/workflows/publish-nuget-org-release.yml
@@ -5,10 +5,41 @@ on:
     types: [released]
 
 jobs:
+  nuget-oidc:
+    name: NuGet login (OIDC → temp API key)
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # enable GitHub OIDC token issuance for this job
+    outputs:
+      nuget_api_key_doublebase64: ${{ steps.secretworkaround.outputs.NUGET_API_KEY_DOUBLEBASE64 }}
+    steps:
+      - uses: NuGet/login@v1
+        id: login
+        with:
+          user: ChrisSimmons
+      - name: Save Secret
+        id: secretworkaround
+        run: |
+         echo "NUGET_API_KEY_DOUBLEBASE64=$(echo ${{ steps.login.outputs.NUGET_API_KEY }} | base64 -w0 | base64 -w0)" >> $GITHUB_OUTPUT
+  debase64:
+    name: De-base64 the secret
+    needs:
+      - nuget-oidc
+    runs-on: ubuntu-latest
+    outputs:
+      nuget_api_key: ${{ steps.secretworkaround.outputs.NUGET_API_KEY }}
+    steps:
+      - name: Save Secret
+        id: secretworkaround
+        run: |
+         echo "NUGET_API_KEY=$(echo ${{ needs.nuget-oidc.outputs.nuget_api_key_doublebase64 }} | base64 -di | base64 -di)" >> $GITHUB_OUTPUT
   push:
+    needs:
+      - debase64
     permissions:
       checks: write
       contents: read
       packages: write
-    uses: NetChris/workflows/.github/workflows/release-nuget-org.yml@v2
-    secrets: inherit
+    uses: NetChris/workflows/.github/workflows/release-nuget-org.yml@nuget-trusted-publishing
+    secrets: 
+      nuget_api_key: ${{ needs.debase64.outputs.nuget_api_key }}