ci: Restrict `id-token` OIDC permission to release job by qartik · Pull Request #185 · Quantinuum/selene

qartik · 2026-06-23T17:04:24Z

Prevent non-release CI jobs that run checked-out repository build logic from minting GitHub OIDC tokens by removing the workflow-level id-token: write grant.

Remove id-token: write from the workflow-level permissions in .github/workflows/build_wheels.yml while leaving the release job's permissions (which include id-token: write) unchanged so the intended publish path retains OIDC capability.

Automated verification printed and inspected .github/workflows/build_wheels.yml, confirmed a single-line removal of the workflow-level id-token and that the release job still contains id-token: write, and all checks passed.

Restrict OIDC token permission to release job

d050b47

qartik added aardvark codex labels Jun 23, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into codex-propose-fix-for-oidc-token-vulnerability

7a34a2f

qartik changed the title ~~Restrict id-token OIDC permission to release job~~ ci: Restrict id-token OIDC permission to release job Jun 23, 2026

qartik marked this pull request as ready for review June 23, 2026 17:05

qartik requested a review from jake-arkinstall as a code owner June 23, 2026 17:05

jake-arkinstall approved these changes Jun 23, 2026

View reviewed changes

qartik merged commit 7c00342 into main Jun 23, 2026
10 checks passed

qartik deleted the codex-propose-fix-for-oidc-token-vulnerability branch June 23, 2026 17:23

Provide feedback