fix(ci): grant id-token: write to test-local job

GuyEshdat · GuyEshdat · commit b650da1e667e · 2026-04-30T12:57:09.000+03:00
test-warehouse.yml declares id-token: write at the job level (added in #997 for the athena AWS-OIDC step). Reusable-workflow permissions are bounded by the calling job, so test-local needs the same grant even though no local matrix entry actually triggers the OIDC step. Without this, GitHub rejects the workflow with: Error calling workflow '.../test-warehouse.yml@...'. The nested job 'test' is requesting 'id-token: write', but is only allowed 'id-token: none'. Made-with: Cursor
diff --git a/.github/workflows/test-all-warehouses.yml b/.github/workflows/test-all-warehouses.yml
@@ -46,6 +46,11 @@ jobs:
     if: github.event_name != 'pull_request_target'
     permissions:
       contents: read
+      # test-warehouse.yml declares id-token: write at the job level (used only
+      # by the athena matrix entry's AWS OIDC step). Reusable-workflow
+      # permissions are bounded by the calling job, so we must grant it here
+      # too even though no local matrix entry actually mints a token.
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
