Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through both the open and closed issues for a duplicate request.

What's the problem this feature will solve?

Support for trusted publishing was recently added to the .NET package manager, NuGet: New Trusted Publishing enhances security on NuGet.org

It would be good to add support for this to zizmor alongside the support for other ecosystems such as npm.

Here is an example of a pull request switching over to NuGet trusted publishing: App-vNext/Polly#2751

Indicators of usage:

• Use of the nuget push/nuget.exe push/dotnet nuget push commands
• Use of the NuGet/login action
• The id-token: write permission
• The token output from NuGet/login flowing to the push command
• No explicit source, or a -Source/--source flag with a value of https://api.nuget.org/v3/index.json or https://www.nuget.org/api/v2

Describe the solution you'd like

The use-trusted-publishing rule flags NuGet package publishes that are not using Trusted Publishing.

Additional context

No response