From 013e37f2088c36d2e80a155ae8507949945840ff Mon Sep 17 00:00:00 2001
From: Mikita Hradovich <mikita.hradovich@scylladb.com>
Date: Wed, 15 Apr 2026 13:12:46 +0200
Subject: [PATCH] CI: fix id-token permission for Test wheels building
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

build-test.yml triggers on pull_request, which gives it id-token:none
by default. lib-build-and-push.yml's upload_pypi job declares
id-token:write, which exceeds the caller's cap and causes GitHub to
reject the workflow at parse time — even though upload:false prevents
upload_pypi from ever running.

Fix: explicitly grant id-token:write to the test-wheels-build job so
the permission cap satisfies the reusable workflow's requirement.

Fixes #819
---
 .github/workflows/build-test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 3e1f1067d7..b0d261d9d6 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -19,5 +19,7 @@ jobs:
     name: "Test wheels building"
     if: "!contains(github.event.pull_request.labels.*.name, 'disable-test-build')"
     uses: ./.github/workflows/lib-build-and-push.yml
+    permissions:
+      id-token: write
     with:
       upload: false
\ No newline at end of file