ci: add oidc

Author: fadi-george

.github/workflows/cd.yml

@@ -1,17 +1,23 @@
 name: Publish to Pub.dev & Github
 on:
+  workflow_dispatch:
   pull_request:
     types:
       - closed
     branches:
       - main
       - rel/**
 
+permissions:
+  id-token: write # Required for authentication using OIDC
+  contents: write
+
 jobs:
   publish:
     if: |
-      github.event.pull_request.merged == true &&
-      contains(github.event.pull_request.title, 'chore: Release')
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.pull_request.merged == true &&
+       contains(github.event.pull_request.title, 'chore: Release'))
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -22,6 +28,10 @@ jobs:
       - name: Set up Flutter
         uses: ./.github/actions/setup-flutter
 
+      # This step is what enables Dart's OIDC "trusted publishing" wiring.
+      # Even though you publish with flutter, OIDC creds are handled via Dart tooling.
+      - uses: dart-lang/setup-dart@v1
+
       - name: Get version from pubspec.yaml
         id: version
         run: |