CI: fix id-token permission for Test wheels building

nikagra · dkropachev · commit ee0bc6607832 · 2026-04-15T14:12:13.000-04:00
build-test.yml triggers on pull_request, which gives it id-token:none by default. lib-build-and-push.yml's upload_pypi job declares id-token:write, which exceeds the caller's cap and causes GitHub to reject the workflow at parse time — even though upload:false prevents upload_pypi from ever running. Fix: explicitly grant id-token:write to the test-wheels-build job so the permission cap satisfies the reusable workflow's requirement. Fixes #819
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -19,5 +19,7 @@ jobs:
     name: "Test wheels building"
     if: "!contains(github.event.pull_request.labels.*.name, 'disable-test-build')"
     uses: ./.github/workflows/lib-build-and-push.yml
+    permissions:
+      id-token: write
     with:
       upload: false
