fix(ci): grant id-token: write to test-local (unblocks workflow)

[GuyEshdat]

Summary

Fixes the workflow validation error introduced when #997 (CORE-687) added `id-token: write` to `test-warehouse.yml` for the athena AWS-OIDC step:

```
Invalid workflow file: .github/workflows/test-all-warehouses.yml#L45
The nested job 'test' is requesting 'id-token: write',
but is only allowed 'id-token: none'.
```

`test-warehouse.yml` declares `id-token: write` at the job level. Reusable-workflow permissions are bounded by the calling job, so any caller must grant it. `test-cloud` already does. `test-local` was tightened in #996 to `contents: read` only, which was fine until #997 added the OIDC requirement to the called workflow.

This grants `id-token: write` on `test-local` too. The OIDC step in `test-warehouse.yml` is gated by `if: inputs.warehouse-type == 'athena'`, and athena is not in the local matrix, so no token is ever actually minted from local jobs — the grant just satisfies the static permissions bound check.

Alternatives considered

• Splitting the OIDC step into a separate job in `test-warehouse.yml` so only that job declares `id-token: write`: cleaner in principle, but a much bigger refactor of the reusable workflow. Not worth it for a single matrix entry.
• Removing `id-token: write` from `test-warehouse.yml`: doesn't work — the called workflow's job still needs to declare permissions it intends to use.

Test plan

• CI green on this PR (the validation error should disappear)
• `test-local` jobs run as before; no AWS auth attempted (athena absent from local matrix)
• `test-cloud` athena entry still mints OIDC token successfully

Made with Cursor

Summary by CodeRabbit

• Chores
  • CI workflow updated so local test jobs can mint OIDC tokens, aligning local and cloud testing behavior.
  • No user-facing changes — internal infrastructure update to improve test reliability.

[linear]

CORE-687 Switch Elementary OSS AWS auth from access keys to OIDC + IAM role

[github-actions]

👋 @GuyEshdat
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43070cf5-ef4f-4866-9dec-ddbcdafe88cb

📥 Commits

Reviewing files that changed from the base of the PR and between b650da1 and 26d4781.

📒 Files selected for processing (1)

• .github/workflows/test-all-warehouses.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-all-warehouses.yml

---

📝 Walkthrough

Walkthrough

The test-local job in .github/workflows/test-all-warehouses.yml now includes id-token: write permission, enabling the workflow to mint OIDC tokens (aligning with the existing test-cloud behavior). No other inputs, matrices, or conditions were changed.

Changes

Cohort / File(s)	Summary
Workflow OIDC Configuration .github/workflows/test-all-warehouses.yml	Added id-token: write permission to the test-local job to allow OIDC token minting (matches test-cloud).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A tiny key rattles, soft and bright,
Grants a token for tests to take flight,
Local and cloud now twine in the night,
Hops of code in OIDC light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: granting id-token: write permission to the test-local job to unblock a workflow validation error.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-687-fix-test-local-id-token

---

_{Review rate limit: 3/5 reviews remaining, refill in 22 minutes and 13 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}