diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e52f442..ea2c8d1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
     steps:
     - name: Checkout
       uses: actions/checkout@v5
@@ -61,13 +66,20 @@ jobs:
     - name: Push
       working-directory: ./src
       # Publish CI packages from PRs and tagged releases
-      if: ${{ startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') }}
+      if: ${{ startsWith(github.ref, 'refs/tags/') || (startsWith(github.ref, 'refs/pull/')) && !github.event.pull_request.head.repo.fork }}
       run: |
         dotnet nuget add source --name github https://nuget.pkg.github.com/CenterEdge/index.json &&
         dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.GITHUB_TOKEN  }} -s github
 
+    - name: NuGet login (OIDC → temp API key)
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      uses: NuGet/login@v1
+      id: login
+      with:
+        user: ${{ vars.NUGET_USER }}
+
     - name: Push to NuGet.org
       working-directory: ./src
       # Publish tagged releases to NuGet.org
       if: ${{ startsWith(github.ref, 'refs/tags/') }}
-      run: dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ secrets.NUGET_API_KEY }} -s nuget.org
+      run: dotnet nuget push **/*.${{ steps.gitversion.outputs.fullSemVer }}.nupkg -k ${{ steps.login.outputs.NUGET_API_KEY }} -s nuget.org