Switch to NuGet trusted publishing

Once we have access (it's still being progressively rolled-out), we should switch from using API keys to publish packages to NuGet.org to the new [Trusted Publishing](https://learn.microsoft.com/nuget/nuget-org/trusted-publishing) feature.

This is more secure, and avoids the need to renew/rotate API keys. Last time we only found out that the API key had expired when a release failed.
